Modification No. 015 to Task Order No. NRC-HQ-10-17-O-0001 Under Contract No. NRC-HQ-10-17-A-0004

ML19240B390
Person / Time
Issue date:	08/28/2019
From:	Domonique Malone Acquisition Management Division
To:	Sinclair B CGI Federal
References
NRC-HQ-10-17-A-0004
Download: ML19240B390 (57)
v • d • e

Text

1. CONTRACT D CODE PAGE OF PAGES AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT 1 57

2. AMENDMENT/MODIFICATION NO. 3. EFFECTIVE DATE 4. REQUISITION/PURCHASE REQ. NO. 5. PROJECT NO. (If applicable)

M0005 See Block 16C See Schedule

6. ISSUED BY CODE NRCHQ 7. ADMINISTERED BY (If other than Item 6) CODE U.S. NRC - HQ Acquisition Management Division Mail Stop: TWFN-5E03 Washington DC 20555-0001

8. NAME AND ADDRESS OF CONTRACTOR (No., street, county, State and ZIP Code)

(x) 9A. AMENDMENT OF SOLICITATION NO.

CGI FEDERAL INC.

Attn: Barbara Sinclair 9B. DATED (SEE ITEM 11) 12601 FAIR LAKES CIRCLE GWAC SOLUTIONS CENTER FAIRFAX VA 220334902 x 10A. MODIFICATION OF CONTRACT/ORDER NO.

NRC-HQ-10-17-A-0004 NRC-HQ-10-17-O-0001 10B. DATED (SEE ITEM 13)

CODE FAC LITY CODE 09/29/2017 145969783

11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of Offers is extended is not extended.

Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended , by one of the following methods: (a) By completing tems 8 and 15, and returning ___________ copies of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted ; or (c) By separate letter or electronic communication which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR ACKNOWLEDGEMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN REJECTION OF YOUR OFFER. If by virtue of this amendment you desire to change an offer already submitted , such change may be made by letter or electronic communication, provided each letter or electronic communication makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified.

12. ACCOUNT NG AND APPROPRIATION DATA (If required) Net Increase:

See Schedule

13. THIS ITEM ONLY APPLIES TO MODIFICATION OF CONTRACTS/ORDERS. IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14.

CHECK ONE A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT ORDER NO. IN ITEM 10A.

B. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIF ED TO REFLECT THE ADM NISTRATIVE CHANGES (such as changes in paying office, appropriation data, etc.) SET FORTH N ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.103(b).

C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF:

X FAR 52.232-22, 2052.215-70, I.7 D. OTHER (Specify type of modification and authority)

E. IMPORTANT Contractor is not x is required to sign this document and return 1 copies to the issuing office.

14. DESCRIPTION OF AMENDMENT/MODIFICATION (Organized by UCF section headings, including solicitation/contract subject matter where feasible.)

GSA Contract #: GS-35F-281DA The purpose of this modification is to:

1. Add incremental funding in the amount of

2. Exercise optional task CLIN 00005 Forensics SME

3. Exercise option task CLIN 00007 Ad Hoc Security Operations support

4. Modify the key personnel.

Please see continuation pages for details.

Continued ...

Except as provided herein, all terms and conditions of the document referenced in Item 9 A or 10A, as heretofore changed, remains unchanged and in full force and effect .

15A. NAME AND TITLE OF SIGNER (Type or print) 16A. NAME AND TITLE OF CONTRACT NG OFFICER (Type or print)

DOMONIQUE MALONE 15B. CONTRACTOR/OFFEROR 15C. DATE SIGNED 16B. UNITED STATES OF AMERICA 16C. DATE SIGNED 08/28/2019 (Signature of person authorized to sign) (Signature of Contracting Officer)

Previous edition unusable STANDARD FORM 30 (REV. 11/2016)

Prescribed by GSA FAR (48 CFR) 53.243

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 GLINDA Security Operations Center (SOC) and Related Services Page 5 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 SECTION B - SERVICES AND PRICES / COSTS .......................................................................7 B.1 BRIEF DESCRIPTION OF WORK ALTERNATE I ......................................................7 B.2 CONTRACT-LINE-ITEMS (CLINS) .............................................................................7 B.3 CONSIDERATION AND OBLIGATION- LABOR-HOUR CONTRACT ........................8 B.4 CONSIDERATION AND OBLIGATION-FIRM-FIXED-PRICE .....................................8 SECTION C - PERFORMANCE WORK STATEMENT ................................................................9 C.1 RESERVED .................................................................................................................9 C.2 INTRODUCTION .........................................................................................................9 C.3 BACKGROUND ...........................................................................................................9 C.4 SCOPE ........................................................................................................................9 C.4.1 Service and Delivery Objectives ..................................................................................9 C.4.2 Delivery Requirements ..............................................................................................10 C.4.2.1.1 Kick-off Meeting .........................................................................................................11 C.4.2.1.2 BPA Call Reporting....................................................................................................11 C.4.2.1.3 Service Status Meetings ............................................................................................12 C.4.2.1.4 SOC Performance Metrics Reporting and Analysis...................................................12 C.4.2.1.5 Cross-Functional Integration......................................................................................13 C.4.2.1.6 Program Delivery Management Deliverables ............................................................13 C.4.2.2.1 Security Monitoring and Analysis...............................................................................17 C.4.2.2.2 Digital Media and Malware Analysis and Forensics ..................................................20 C.4.2.2.3 Enhance the Agencys Cyber Intelligence Capability ................................................22 C.4.2.2.4 Incident Assessment and Response Services...........................................................23 C.4.2.2.5 SOC Operations Service Deliverables.......................................................................25 C.4.2.3.1 Information Security Incident Coordination................................................................26 C.4.2.3.2 Centralized NRC Security Incident Management Coordination.................................27 C.4.2.3.3 Incident Response Testing ........................................................................................28 C.4.2.3.4 Continuity of Operations (COOP) Coordination.........................................................28 C.4.2.3.5 Cybersecurity Communications and Coordination Deliverables................................29 C.4.2.5.1 Commitment to Protect Non-Public Information ........................................................30 C.4.2.5.2 Position Sensitivity Designation.................................................................................31 C.4.2.5.3 Information Security Awareness and Role-Based Training .......................................31 C.4.2.5.4 Rules of Behavior ......................................................................................................31 C.4.2.5.5 Information Security and Privacy ...............................................................................32 C.4.2.5.6 Controlling System Access ........................................................................................32 C.4.2.5.7 Security Incident Response .......................................................................................33 C.4.2.5.8 Security Standards ....................................................................................................33 C.4.2.5.9 System Security Requirements .................................................................................34 C.4.2.5.10 Interconnection Security Agreements........................................................................34 C.4.2.5.11 System Authorization and Assessment .....................................................................34 C.4.2.5.12 Security Controls Compliance Assessment...............................................................35 C.4.2.5.13 Common Security Configurations ..............................................................................35 C.4.2.5.14 Security for Encryption...............................................................................................37 C.4.2.5.15 Patching.....................................................................................................................37 C.4.2.5.16 Tracking and Correcting Security Deficiencies ..........................................................38 C.4.2.5.17 Security Tools Implementation ..................................................................................38 C.4.2.5.18 Return of NRC and NRC-Activity-Related Information ..............................................38 C.4.2.5.19 Verified Secure Destruction of NRC and NRC-Activity-Related Information .............38 C.4.2.5.20 Return of NRC-Owned or Leased Computing Equipment .........................................39 C.4.2.6 Section 508 - Information and Communication Technology Standards....................39 Page 6 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.4.2.6.1 General Requirements...............................................................................................39 C.4.2.6.2 Applicable Standards.................................................................................................39 C.4.2.6.3 Exceptions .................................................................................................................40 C.4.2.6.4 Additional Requirements............................................................................................41 C.4.2.6.5 Clarification ................................................................................................................42 C.4.2.6.6 508-Specific Deliverables ..........................................................................................42 C.4.3 Service Level Requirements......................................................................................43 C.5 REQUIRED PERFORMANCE METRICS..................................................................43 C.6 STAFFING/KEY PERSONNEL REQUIREMENTS....................................................44 C.6.1 Staffing.......................................................................................................................44 C.6.1.1 Staffing Requirements ...............................................................................................45 C.6.1.1.1 Tier 1 Personnel ........................................................................................................45 C.6.1.1.2 Tier 2 Personnel ........................................................................................................46 C.6.1.2 Key Personnel ...........................................................................................................46 C.6.1.2.1 Key Personnel 1 ........................................................................................................46 C.6.1.2.2 Key Personnel 2 ........................................................................................................46 C.6.1.2.3 Key Personnel 3 ........................................................................................................47 C.6.1.2.4 Tier 3 Personnel ........................................................................................................47 C.6.1.3 Changes to Key Personnel ........................................................................................47 SECTION D - PACKAGING AND MARKING.............................................................................48 D.1 MARKING DELIVERABLES ......................................................................................48 SECTION E - INSPECTION AND ACCEPTANCE .....................................................................48 E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013) ................................48 E.2 INSPECTION AND ACCEPTANCE OF DELIVERABLES.........................................48 SECTION F - DELIVERIES OR PERFORMANCE .....................................................................49 F.1 PERIOD OF PERFORMANCE ALTERNATE............................................................49 F.2 PLACE OF DELIVERY-REPORTS............................................................................49 F.3 PLACE OF PERFORMANCE ....................................................................................49 F.4 HOURS OF OPERATION..........................................................................................50 F.5 FEDERAL HOLIDAYS ...............................................................................................50 SECTION G - CONTRACT ADMINISTRATION DATA ..............................................................50 G.1 BPA CALL COR AUTHORITY...................................................................................50 G.2 2052.215-70 Key personnel. (Jan 1993) ...................................................................52 SECTION H - SPECIAL CONTRACT REQUIREMENTS ...........................................................52 H.1 GOVERNMENT FURNISHED EQUIPMENT/PROPERTY........................................52 SECTION I - CONTRACT CLAUSES .........................................................................................53 I.1 RESERVED ...............................................................................................................53 I.2 RESERVED ...............................................................................................................53 I.3 52.217-8 OPTION TO EXTEND SERVICES (NOV 1999).........................................53 I.4 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000) .....53 I.5 52.232-19 AVAILABILITY OF FUNDS FOR THE NEXT FISCAL YEAR. (APR 1984)

................................................................................................................................... 54 I.6 TRAVEL APPROVALS AND REIMBURSEMENT.....................................................54 Page 7 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 I.7 OPTION FOR ACQUISITION OF EVALUATED OPTIONAL FEATURES NOT PROCURED AT TIME OF AWARD OF CONTRACT (IT REQUIREMENTS) ...........54 I.8 52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998) ...................55 SECTION J - LIST OF DOCUMENTS, EXHIBITS AND OTHER ATTACHMENTS ...................55 Page 8 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 SECTION B - Services and Prices / Costs B.1 BRIEF DESCRIPTION OF WORK ALTERNATE I (a) The title of this project is: Security Operations Center and Related Services (b) Summary work description: The Contractor shall provide an integrated set of Security Operations Center (SOC) operations services. Please see Section C for details.

(End of Clause)

B.2 CONTRACT-LINE-ITEMS (CLINS)

CLIN 0001: GLINDA SOC Program Delivery Management: Firm Fixed Price (FFP)

CLIN Total Price Base Period 00001 Option Period 1 10001 Option Period 2 20001 Total CLIN 0002: SOC Operations Services: Firm Fixed Price (FFP)

CLIN Total Price Base Period 00002 Option Period 1 10002 Option Period 2 20002 CLIN 0003: Cybersecurity Communications and Coordination: Firm Fixed Price (FFP)

CLIN Total Price Base Period 00003 Option Period 1 10003 Option Period 2 20003 Total CLIN 0004: RESERVED CLIN 0005: OPTIONAL Forensics Subject Matter Expert (SME): Labor Hour (LH)

CLIN Ceiling Price Base Period 00005 Option Period 1 10005 Option Period 2 20005 Total Page 9 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 SECTION C - Performance Work Statement C.1 RESERVED C.2 INTRODUCTION The Contractor shall provide an integrated set of Security Operations Center (SOC) operations services. Through successful support from the Contractor, the Agencys SOC will defend the NRC against unauthorized activity within its computer networks. Contractor support includes detecting, monitoring, and analyzing suspicious activity as well as supporting the Agencys response to malicious activity and contributing to restoration activities. The Contractor supported SOC activities will also provide the structure for the Agencys users to report potential or suspected cybersecurity incidents. The Agencys SOC functions encompass all agency information technology (IT) systems and data, including websites, servers, databases, applications, networks, data centers, and endpoints.

During the life of this BPA Call, the Contractor shall transition the existing contractor support activities, staff and manage the NRC SOC, coordinate monitoring and response activities with the NRC SOC, other NRC offices, and designated NRC personnel, and identify opportunities to enhance SOC operations.

C.3 BACKGROUND The NRCs SOC monitors, detects, analyzes, mitigates, and responds to cyber threats and adversarial activity on the NRC Enterprise. The analytical methodology required involves a combination of direct monitoring and response from the NRC SOC and coordinated activity with system administrators, Information System Security Officers (ISSOs), and other NRC Offices including regional locations.

The NRC obtains Internet connectivity through Department of Homeland Security (DHS) managed Trusted Internet Connection (TIC) gateways and uses a variety of information technology (IT) security technologies to limit access to internal sensitive systems. The NRC SOC has primary responsibility for monitoring and responding to security events and incidents detected on the agencys network and information assets as well as for administration and operation of IT security systems. Direction and coordination are achieved through a shared NRC incident tracking system and other means of coordination and communication with agency staff.

The NRC SOC is also responsible for coordinating and forwarding significant incident reports to the NRC Office of the Chief Information Officer (OCIO) Computer Security Incident Response Team (CSIRT). The NRC OCIO CSIRT reports incidents to the United States Computer Emergency Readiness Team (USCERT) and other external entities on behalf of the NRC SOC, the OCIO Information Technology Services Development and Operations Division (ITSDOD),

and other NRC offices.

C.4 SCOPE C.4.1 Service and Delivery Objectives The objectives of this BPA Call are to:

Page 11 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Transition work between contractors without impact on the Agencys SOC services and capabilities Protect the information that NRC uses to fulfill its mission Seek out and thwart Advanced Persistent Threat (APT) attacks against the agency Act as central coordination body for Incident Response and Incident Assessment / Handling of the NRC infrastructure Identify opportunities to improve and/or transform its delivery model for the desired services (e.g. locating personnel in different locations, shared services, etc.)

At a high level, the NRC expects the SOC BPA Call Contractor to act in more of a monitoring and advisory capacity, whereas the SNCC BPA Call Contractor will be expected to focus more on engineering and implementing actions approved by the NRC. The Contractor may request technical direction from the BPA Call COR for specific, detailed situations not already specifically identified in the SOW as those situations arise after performance begins. This Performance Work Statement (PWS) does not include support for security engineering; including planning, implementation, configuration, and optimization of security software and hardware. Unless otherwise stated herein, these services are or will be delivered separately from this BPA Call. However, it is expected that the Contractor shall work collaboratively with security engineering resources and functions to optimize the Agencys information security posture.

C.4.2 Delivery Requirements The Contractor shall provide all services necessary to support the NRC SOC including:

Support Area #1: SOC Program Delivery Management Support Area #2: SOC Operations Services Support Area #3: Cybersecurity Event Communications and Coordination Support Area #4: Related Transition Activities Support Area #5: Security Compliance Requirements The NRCs requirements and deliverables for each support area areas is described in the following sub-sections. Additionally, the Agencys service level requirements associated with these Contractors services are provided in Section C.4.3, Service Level Requirements.

C.4.2.1 Support Area #1: SOC Program Delivery Management The Contractor shall provide the management and functional expertise needed to manage all aspects of delivery of the NRC SOC support services defined in this PWS and in the base GLINDA BPA. To accomplish this, the Contractor shall perform the following program delivery management activities:

SOC Contractor resource assignment and management Status and problem reporting Service quality assurance Risk management Performance reporting and analysis Additional SOC administration services Page 12 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Additionally, to improve the SOC functions and capabilities, the Contractor shall recommend improvements, enhancements and/or changes to the SOC processes, practices, infrastructure, tools, and facilities. The Contractor shall prepare all required documentation (e.g. reports and briefings) and submit to designated NRC personnel and the appropriate agency change management boards for review and approval before implementation.

The Contractor shall execute all SOC related project activities under this contract following the concepts in the Project Management Institute (PMI) Project Management Body of Knowledge1 (PMBOK) guide. For each project, the Contractor shall prepare a Project Management Plan describing the technical approach, organizational resources, risk management, communication management and other management controls to be employed to meet the cost, performance and schedule requirements throughout BPA Call execution.

C.4.2.1.1 Kick-off Meeting The Contractor shall conduct a technical kick-off meeting with the NRC within ten (10) business days following BPA Call award. The Contractor shall present, for review and approval by the Government, an updated and finalized version of their proposed transition approach, work plan, and schedule for staffing the BPA Call to enable full assumption of SOC support services by the end of the transition period.

The Contractor shall specify the date(s) and agenda for the Kick-off meeting. The kick-off meeting agenda shall be provided to all attendees at least five (5) calendar days prior to the meeting. Meeting minutes shall be provided to Government attendees within three (3) business days after the meeting.

C.4.2.1.2 BPA Call Reporting The Contractor shall provide BPA Call reports on the full range of services required under this BPA Call to the Contracting Officers Representative (COR) and other designated NRC personnel. In addition to BPA Call level progress reporting, the Contractor shall inform the BPA Call COR of any issues, problems and recommendations for the overall efficient accomplishment of the BPA Call goals.

Recommendations for actions that need to be taken by NRC staff, or other Contractors, shall be clearly defined and communicated to the designated COR, and have identified dates for completion. In addition to BPA Call reporting, the Contractor shall be required to provide detailed security operation reports as described in each section of this PWS.

For any SOC project related activities, the Contractor shall provide monthly project status reports focused on the status of major milestones/deliverables as well as planned and actual project schedule and costs. Project reporting shall also address any issues, problems, risks or concerns that could negatively impact the project.

The Contractor shall also periodically provide status briefings to management to summarize its services activities and accomplishments, present analyses of major challenges, and offer innovative solutions to improve weaknesses based on established performance measures.

1 https://en.wikipedia.org/wiki/Project_Management_Body_of_Knowledge Page 13 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Additional detail associated with this BPA Calls reporting requirements are provided within each support area as designated deliverables.

C.4.2.1.3 Service Status Meetings Recurring service status meetings between the NRC and the Contractor are required to discuss the Agencys SOC operations, its performance, and continued ability to accomplish its mission of providing NRC enterprise cybersecurity. To accomplish this, the Contractors Program Manager shall meet with designated NRC personnel to present a summary report as described in the deliverables section of this PWS.

The Contractor shall also manage the logistics associated with recurring status and other meetings by preparing and delivering Meeting Agendas, Meeting Minutes, Presentation Materials, and an Action Item List for each meeting, review and/or conference. The Contractor shall notify the Government of its readiness prior to the start of any meeting, review, and/or conference. The following additional requirements are applicable to all meetings, reviews and/or conferences:

1. All meetings, reviews, and/or conferences will be held at NRC facilities in the Rockville, MD area, unless directed otherwise by the Government. The Contractor shall propose a date for the meeting, review and/or conference for the BPA Call CORs approval.

2. For all presentations, the Government reserves the right to revise the agenda and/or presentation materials. The Contractor shall provide appropriate Contractor personnel available to respond to Government questions. The Contractor shall prepare and deliver a summary of open, pending, and closed action items and presentation materials five (5) days prior to the start of each scheduled conference, meeting, and/or review.

3. All reports and information therein developed as part of the SOC and Related Support effort for the NRC will be owned by the NRC and may not be used or shared by the Contractor for any purpose other than its services to NRC and the BPA Call.

4. Contractor shall record and submit minutes. The Contractor shall track action items. Each assigned action item shall have a due date and responsible Government or Contractor person(s) assigned, who shall provide the status of the action at agreed upon intervals until the action is closed. In the event an action item cannot be closed promptly, a plan of action shall be developed for closure.

C.4.2.1.4 SOC Performance Metrics Reporting and Analysis The Contractor shall work with the BPA Call COR and their designees to develop, pilot, refine, deploy, and execute a Performance and Investment Metrics Program for the NRC SOC, with all proposed metrics approved by the BPA Call COR prior to commencement of data collection.

The Contractors Performance and Investment Metrics Program shall collect a uniform set of measures and use these measures to assess the mission effectiveness and cost effectiveness of the NRC SOC investments in cybersecurity technology solutions. The Contractors Performance and Investment Metrics Program shall routinely measure, analyze, and report bi-weekly qualitative and quantitative measures and metrics on:

The impact of each NRC cyber security incident and estimated recovery costs The degree and effectiveness of computer network defense sensor coverage across the NRC Infrastructure and any deficiencies in coverage identified Page 14 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 The effectiveness of the Contractors implementation of the NRC intrusion defense chain (IDC) methodology in the NRC SOC. The Intrusion Defense Chain methodology currently in use at the agency maps existing IT security technologies to detection/prevention of the seven steps in the industry standard Cyber Intrusion Kill Chain Model.

False Positive Reporting Rates (FPRR) for each security tool and summary of signature tuning actions taken to reduce false positives The number and categories of threats of concern identified by the SOC and those supplied to the SOC by other Government Agencies The Contractors Performance and Investment Metrics Program shall focus on analysis of cybersecurity events, incidents, and incident response metrics and trends, with the goal of deriving predictive metrics, anticipating emerging and evolving threats, and implementing countermeasures and mitigations.

If Contractor analyses of performance and investment metrics indicate that existing operational NRC SOC tools may put the NRC SOC at risk of not meeting Service Level and/or Operational Level Requirements in capability, or may result in below industry average costeffectiveness in protecting the NRC infrastructure against current and emerging cybersecurity threats and attacks, the Contractor shall, as requested by the COR:

1. Evaluate alternative commercial and Government developed tools.

2. Identify, analyze, and recommend tools that the Contractor believes will allow NRC to meet and/or exceed Service Level and/or Operational Level Requirements, and/or will allow NRC to meet or exceed industry average cost-effectiveness.

3. Develop and deliver a security tool roadmap, with funding requirements, for NRC acquisition and deployment of recommended replacement tools.

C.4.2.1.5 Cross-Functional Integration Given the Agencys multi-provider IT operations and delivery environment, the Agency is implementing a Service Delivery Integration Team (SDIT) to help ensure all GLINDA and other related Contractors act in unison and maintain unified processes for the delivery of services to the NRC. To support these requirements, the Contractor shall:

1. Integrate its processes with the Agencys service management technologies and collaborate with the SDIT and its related team members to successfully address all of the requirements listed in this PWS.

2. Participate and contribute to Daily Operational Calls with the SDIT.

To avoid potential conflicts with the Contractor, any third-party personnel or vendors the NRC may engage to support the SDIT may not participate in the delivery of services under the GLINDA BPA.

C.4.2.1.6 Program Delivery Management Deliverables The Contractor shall provide the deliverables listed in the following table. All deliverables shall be submitted in Microsoft Word or Excel formats via email to the BPA Call COR unless otherwise designated by the BPA Call COR during execution of the BPA Call.

Page 15 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Deliverable Due Date Draft: Fifteen (15) business days after BPA Call Transition NRC SOC Services Working Session Program Management Government Comments: Provided within twenty (20) business Plan (describes how days after receipt of draft SOC services will be Final: Transition End Date delivered to the NRC by OCIO) Update: As required to incorporate Government approved changes BPA Call Management Draft: Twenty (20) business days after BPA Call Transition Plan Working Session (describes the specifics Government Comments: Provided within twenty (20) business regarding how the days of draft submission Contractor will deliver Final: Transition End Date its services to the NRCs security Update: As required to incorporate Government approved stakeholders) changes Weekly Summary: Provided every Monday by 10AM for the previous week, starting the Monday after the Transition ends / Go live date Monthly Summary: Provided by the 5th of each month for the previous month Quarterly Summary: Provided by the 5th of the following month for the previous quarter Anticipated reporting topics include:

o Notable accomplishments o Funding burn rates (Monthly Only) o Issues or key risks, including constraints (e.g., cost, schedule, etc.,) and assumptions, and planned responses for each o Security Event Notifications and Status of Investigations BPA Call Status (includes Stakeholders and systems impacted)

Reports o Status on previously identified issues, actions taken to mitigate the issue and/or progress made in rectifying the issue o Explanations for any unresolved issues, including possible solutions and any actions required of the Government and/or Contractor to resolve or mitigate any unresolved issue, including a plan and timeframe for resolution o Recommendations for changes or additional activities to ensure that the tasks overall meet NRC SOC objectives o Work planned for the subsequent four (4) weeks (weekly report only) o Open actions for both the Contractor and NRC with due dates and agreed upon priorities (High - impacts schedule if not completed on time; Medium - may impact schedule; Low -

needs to be completed but not a critical path item)

Monthly Summary: Provided by the 5th of each month for the previous month to start April 2018 Service Status Reports Anticipated reporting topics include:

o Current SOC service levels and service level trends o The status of security incidents by Agency designated Page 16 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Deliverable Due Date categories o Actions accomplished during the reporting period o Statistics for event and incident tickets, call logs, investigatory cases, and security event notifications, including events/incidents generated per region, device, and signature (e.g. top talkers, top attackers, top victims, outliers, and alert trends) o The availability, reliability, and effectiveness of commercial SOC tools and infrastructure o The Contractors progress in continual improvement of SOC capabilities and delivery of SOC services o SOC operational risks and issues, mitigation and escalation actions, and proactive problem management actions o As requested by the COR, deliver presentations, analyses, and advice from the Contractors subject matter experts on specific NRC SOC service delivery issues and topics Draft: Thirty (30) business Days after BPA Call Transition Working Session Communications Plan Government Comments: Provided within twenty (20) business days after receipt of draft Final: Transition End Date Draft: Prior to Kickoff Meeting Government Comments: Provided within twenty (20) business Quality Assurance Plan days after receipt of draft Final: Transition End Date Draft: Prior to Kickoff Meeting Government Comments: Provided within twenty (20) business Risk Management Plan days after receipt of draft Final: Transition End Date Draft: Thirty (30) business days after BPA Call Transition End / Go Live Meeting Performance and Government Comments: Provided within twenty (20) business Investment Metrics days after receipt of draft Program Roadmap Final: Fifteen (15) business days after receipt of Government comments on the Draft Draft: Thirty (30) business days after BPA Call Transition End /

Go Live Meeting Performance and Government Comments: Provided within twenty (20) business Investment Metrics days after receipt of draft Program Pilot Plan Final: Fifteen (15) business days after receipt Government comments on the Draft Page 17 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Deliverable Due Date Draft: Sixty (60) business days after BPA Call Transition End Performance and / Go Live Meeting Investment Metrics Government Comments: Provided within twenty (20) business Program Deployment days after receipt of draft Plan Final: Fifteen (15) business days after Government comments on the Draft At transition end, delivery of legacy metrics report due 20 days after transition end / go live. After Performance Improvement Metrics Deployment Plan is finalized, updated Performance and Investment Performance and Metrics Report is due 30 days out.

Investment Metrics Weekly Summary: Provided every Monday by 10:00 a.m. for the Report previous week Quarterly Summary: Provided by the 5th of the following month for the previous quarter Recommendations for SOC Technology Update: Quarterly on the 5th of Agency designated months Enhancements Report Performance Commencing April 2018 Requirements Summary Provided by the 5th of each month for the previous month (Includes SLAs)

Agenda: Two (2) business days prior to meeting during transition and steady state.

Meeting Agenda, Meeting calendar invite sent five (5) business days prior to Minutes, Action Items meeting Minutes and Action Items: Three (3) business days after meetings Draft: Fifteen (15) business days after Transition End / Go Live Meeting Transition Lessons Government Comments: Provided within ten (10) business days Learned after receipt of draft Final: Fifteen (15) business days after the completion of the transition C.4.2.2 Support Area #2: SOC Operations Services The Contractor shall provide the technical expertise to operate the NRCs SOC operations, and is accountable for the delivery of the following SOC operations services:

Performing security monitoring and analysis Performing digital media and malware analysis Enhancing the Agencys cyber intelligence capability Providing incident assessment and response coordination In its delivery of these services, the Contractor shall perform the activities and associated deliverables as described in more detail in the following sub-sections. The NRC currently has Page 18 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 the approved tools and equipment it believes is needed to perform the requirements described in this section. However, the Contractor shall ensure its staff is trained on the tools and equipment.

C.4.2.2.1 Security Monitoring and Analysis The Contractor shall provide the required technical and domain expertise to accomplish the following security monitoring and analysis services. The Contractor shall conduct database and/or web application scans. Although typically a consumer of external scans (e.g. DHS, NRC OIG, various Red Teams), the Contractor may also be asked to perform additional scans with tools provided by the NRC. In addition, approximately 4,800 workstations, 600 servers, and 300 network devices are currently being monitored by the SOC. These numbers may increase and/or decrease during the Period of Performance. From a technical perspective, the following security monitoring and analysis technologies are currently used by NRC (NRC reserves the right to add and/or remove technologies from this list during the Period of Performance):

Palo Alto firewalls/IPS Blue Coat web proxies ForeScout CounterACT NAC Tenable SecurityCenter Splunk Enterprise Security (The current raw Splunk processing volume of events is 150 GB/day. NRC is currently licensed for 200 GB/day maximum. All hosts, with the exception of workstations, are currently being logged into Splunk.)

Symantec Endpoint Protection Cisco IronPort email appliances In addition, NRC currently has 23 FISMA reportable systems (this number may increase and/or decrease during the Period of Performance). The majority of the FISMA systems are located at the NRC Headquarters complex. A few FISMA systems are located elsewhere within the Continental United States.

The Contractor shall:

1. Provide 6:00 a.m. - 6:00 p.m. Monday - Friday business hour monitoring with after-hours on-call support and include an option for 24x7x365 monitoring if requested by the NRC. If the 24x7x365 option is requested by the BPA Call COR, the Contractor shall, at a minimum, provide Tier 1 level support at a minimum during that timeframe requested by the BPA Call COR. During the after-hours timeframe (in this specific context, 6pm - 6am), the Contractor may provide Tier 1 Support by Contractor personnel who are within commuting distance of the NRC facility. The scope includes monitoring and analysis of all NRC IT security systems in near real time including logs, alerts, automated reports, system consoles, security dashboards and any other security event information received from all NRCapproved security feeds and designated system logs (see Section 7 for associated personnel requirements).

2. Develop and maintain formal, documented SOC standard operating procedures (SOPs) that are delivered for the review and approval of designated NRC personnel when developed or modified. SOPs provide the operational basis for the NRC SOC Concept of Operations (CONOPS).

Page 19 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

3. Investigate and positively identify anomalous events that are detected by security devices or reported to the SOC from external entities, NRC Offices, system administrators, and the user community via security monitoring platform and tools, incoming phone calls, emails, and workflow ticketing and assignment tools.

4. Develop and provide daily status reports as component of operational report deliverables

5. Manage the resolution of computer security events that affect NRC information systems through the use of the OCIO event ticketing system. NRC notes that computer security event tickets are not automatically generated into the OCIO event ticketing system. In addition, the current OCIO event ticketing system (Remedy) is different from the current Incident Response Tracking System (RSA Archer) (Note: NRC reserves the right to add and/or remove the technologies it utilizes during the Period of Performance.)

6. Analyze suspicious web or email files for malicious code discovered through security event log monitoring and any other available sources.

7. Determine indicators, including command and control channels, for malicious code.

8. Provide recommendations specific to tactical Internet filtering or other measures to mitigate cyber threats.

9. Develop, implement, modify, and disseminate new security content, such as Intrusion Detection System/Intrusion Prevention System (IDS/IPS) rules and cyber threat indicators, based on cyber threat intelligence and the results of the NRC SOCs own analysis.

10. Continuously tune the NRC provided Security Information and Event Management (SIEM)

System, through rule creation and engineering to reduce false positives and discover previously unknown threats.

11. Perform complex scripting with the ability to output the results in a variety of formats (to include Hyper Text Markup Language (HTML), Extensible Markup Language (XML) or other type most appropriate for the task) and to repurpose the results for reports targeting different NRC audiences levels (i.e., other analysts, management, etc.). Scripting expertise will help the SOC automate various tasks and go beyond the built-in ready-made tools of each security vendor. The scripting used for SOC purposes currently at the NRC includes PowerShell, Python, JavaScript, Linux Shell, and Perl. The NRC reserves the right to change the scripting languages used by SOC during the Period of Performance.

12. Monitor, detect, and analyze potential intrusions in real time and through historical trending on security-related information.

13. Collect and integrate monitoring and other data feeds from other providers (e.g. cloud, etc.)

with on premise data feeds as appropriate.

C.4.2.2.1.1 Security Event Impact Classification and Prioritization The Contractor shall provide the required technical and domain expertise to accomplish the following event impact classification and prioritization services:

1. Monitor and analyze security event data and investigate reported incidents from sources that include but are not limited to system logs, automated reports, and event correlation between Intrusion Prevention Systems (IPS), proxy traffic, endpoint protection software, mail gateways, firewalls, and National Cyber Protection System (NCPS), also referred to as Einstein.

2. Review audit logs from investigative actions or those that produce alerts and record any inappropriate activity in order to reconstruct events as part of security investigations.

Suspected illegal activities shall be referred to the NRC Computer Security Incident Response Team (CSIRT) in accordance with Federal reporting requirements and NRC policy.

Page 20 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

3. Provide event analysis and evaluation of reported security violations and provide postanalysis categorization, prioritization, and recommendation of event disposition to the BPA Call COR and their designees. The format and content of the event analysis and recommendation of event disposition will be discussed and determined with the Contractor after BPA Call award.

4. Document all event investigation activities, incoming CSIRT requests for information, or suspected incident reports as required for law enforcement records, case disposition and audit reviews. No information shall be released to any law enforcement agency without guidance from the BPA Call COR.

5. Classifying events based on the most current United States Computer Emergency Readiness Team (USCERT) Impact Classification guidelines (the most current at the time of writing was October 1, 2014), current CONOPS and SOPs and leveraging the information in a time series, or other ways to provide trending.

C.4.2.2.1.2 Monitoring and Analysis Related Reporting The following tools are used to generate all current SOC reporting. The NRC reserves the right to add and/or remove tools from this list during the Period of Performance:

Web Proxies - Symantec Blue Coat Antivirus / Advanced Persistent Threat/Endpoint Protection software - Symantec Endpoint Protection IDS/Intrusion Prevention System (IPS) - Palo Alto Domain Name System (DNS) and Domain Name System Security Extensions (DNSSEC) - BIND application running on Red Hat Linux servers Email Security and SPAM filtering - Cisco IronPort Firewalls - Palo Alto Malicious file execution sandbox appliance - Palo Alto Wildfire Web content security scanning system - Trustwave Network Access Control system - ForeScout CounterACT Vulnerability and compliance scanning system - Tenable SecurityCenter IPSEC VPN - Palo Alto SSL VPN remote access - Citrix Netscaler Application delivery controller - Citrix Netscaler Log Management - Splunk Enterprise SIEM - Splunk Enterprise Security As a component of its security monitoring and analysis delivery activities, the Contractor shall:

1. Provide written reports to designated NRC personnel detailing all security events related to network security matters and submit these reports according to the procedures and reporting requirements established in NRC SOPs and guidelines.

2. Document incident investigations and case analysis in accordance with approved law enforcement collection and documentation techniques and NRC policy to address chain of custody and digital media analysis requirements.

3. Use the approved agency incident management system to determine and document problem status, resolution, and prevention measures.

4. Inform impacted users and management, via agency approved secure communications methods, regarding the status of changes, enhancements, and problem resolution.

Page 21 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

5. Complete resolution or referral of all NRC Enterprise security issues in accordance with established timelines as established in SOC SOPs and CONOPS.

6. Establish POA&Ms and processes for tracking the correction of internal selfassessment and external audit findings related to the IT Infrastructure (ITI) System

7. Collect, analyze, and package responses received from various NRC stakeholders to data ad-hoc and recurring requests from external entities.

8. Provide weekly, monthly, and quarterly Monitoring and Analysis Activities Reports as a component of Operational Report Deliverables.

C.4.2.2.2 Digital Media and Malware Analysis and Forensics The Contractor shall provide analysis and forensics subject matter expert services on an on-call 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, 365-day basis. To accomplish this, the Contractor shall provide the technical and advisory expertise necessary to:

1. Conduct network and media forensics related to Agency incident and compromise response activities, including, but not limited to: Malware Detection, Lateral Movement Detection, Data Collection Detection, and Data Exfiltration Detection.

2. Perform Advanced Adversary Hunting.

3. Provide guidance and expertise to Incident Response Teams associated with FISMA systems operated by or on behalf of the NRC in the areas of digital forensics and malware analysis. Malware analysis tools currently in use by NRC (which may change during the Period of Performance at NRCs discretion) include Palo Alto Wildfire, Symantec Endpoint Protection, and publicly available open source malicious software analysis systems.

4. Monitor industry threat intelligence sources to proactively tune Agency tools.

5. Develop, maintain, and optimize, Agencys malware analysis environment.

6. Prepare and provide network and media forensics, malware analysis, and advanced hunting reports using Agency-approved report formats.

7. Utilize industry standard evidence acquisition, transport, storage and destruction to prevent unauthorized disclosure of data.

8. Develop and share Indicators of Compromise (IOCs) with designated NRC personnel for dissemination to relevant stakeholders.

9. Utilize Agency Malware Analysis form for forensics and malware analysis reporting.

10. Collaborate with, and provide required technical expertise to, internal and external entities (OCIO, contractors, US-CERT, DHS, and local Law Enforcement) for incident response and investigative activities as directed by the BPA Call COR.

11. Conduct ad hoc, daily, weekly, and monthly security briefs and reporting to designated OCIO personnel Forensics and Malware Analysis program and activities.

12. Maintain, and optimize all program documentation related to Forensics, Malware Analysis and Advanced Hunting based upon innovation, industry techniques, policies, laws, and regulations.

13. Provide risk analysis for vulnerabilities, incidents, and changes as requested

14. Provide subject matter expertise on policies, industry trends, techniques related to Forensics, Malware Analysis, and Advanced Hunting.

15. Receive NRC approval prior to contacting any stakeholders external to OCIO for any reason.

16. Work with designated OCIO and other Contractors to develop and optimize the Agencys Security Toolsets and services distribution to provide comprehensive visibility, situational awareness, and response readiness.

Page 22 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

17. Adhere to exiting policies and procedures for preserving chain of custody of equipment as part of investigations, as required by federal law, NRC Office of the Inspector General (OIG),

and NRC Office of the General Counsel (OGC).

18. Ensure that appropriate digital media analysis tools and equipment (i.e. spare hard drives for replication) are maintained.

19. Ensure that personnel are appropriately trained and certified in digital media analysis processes and the specific tools selected, to include use of distributed Enterprise digital media analysis tools deployed to remote systems.

20. Ensure that all Contractor personnel are appropriately trained and able to identify signs of malicious code infection on target systems.

21. Provide remedial recommendations and produce consistent comprehensive reports on findings. Activities include:

a. Offline analysis of detected malicious code in an isolated lab environment. A virtual isolated lab environment consisting of standalone laptops currently exists. The tools to be provided (which may change over time) include Symantec Endpoint Protection software along with freeware and open source software including products such as AVG antivirus and malware protection, Malwarebytes Security, VirusTotal & Anti-Malware Software and various Adobe PDF analysis tools.

b. Advanced traffic analysis (at the packet level) and reconstruction of network traffic to discover anomalies, trends, and patterns affecting NRC networks.

c. Analysis and recommendation of hardware and/or software tools that will assist in traffic analysis.

d. Implementation, training, and SOP development and maintenance of implemented solutions.

e. Hard drive analysis of suspected systems impacted by malicious activity, to include occasional hard drive imaging.

f. Indepth Web log analysis to determine trend, patterns, and suspicious activity

g. Pattern analysis, trend analysis, behavior analysis and other specialized analysis.

h. Reporting results of all analyses to the BPA Call COR and their designees.

C.4.2.2.2.1 Email Security Monitoring and Analysis The Contractor shall provide the required technical and domain expertise to:

1. Provide 24x7x365 monitoring of email traffic to and from the Internet as well as Help Desk tickets related to suspicious emails to detect phishing attacks and malicious email attachments as well as any suspicious outbound message originating from NRC accounts.

2. Provide weekly, monthly, and quarterly reports of monitoring and analysis activities related to email attacks (e.g. anomalous email indicators, malware, spam, flooding, or attacks) to be included in standard operations reports.

3. Respond to email attacks by:

a. Identifying users who may have received malicious messages.

b. Identifying any infections that occurred as a result of the message.

c. Initiating blocks at agency Internet mail gateways for applicable email message characteristics.

d. Alerting effected users of malicious email attempts and providing resolution or mitigation within timeframe established in the current SOP.

C.4.2.2.2.2 SOC Email Security Requirements Page 23 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 The NRCs SOC leads the Agencys efforts against general email based intrusion attacks. The team is charged with providing coverage to ensure a proactive approach to defending against email attacks and a reactive approach when responding to successful attacks. To successfully address these requirements, the Contractor shall:

1. Assist with the management of security policies in place at the agency mail gateways.

2. Assist with the administration of security configurations at the agency mail gateways to include; spam quarantining, redirecting and blocking of malicious messages and the blind carbon copy (BCC) of suspicious messages to SOC monitored mailboxes.

3. Perform analysis to identify Targeted Spear Phishing attacks and distinguish them from general based mass email attacks.

4. Provide weekly, monthly, and yearly metric reports to designated NRC personnel showing SOC progress and challenges related to email security.

C.4.2.2.3 Enhance the Agencys Cyber Intelligence Capability Currently, NRC leverages US-CERT for its cyber intelligence capability. To enhance the Agencys cyber intelligence capability and help ensure its computer network defense, the Contractor shall:

1. Provide cleared security analysts to perform specific tasks that require access to classified information.

2. Consolidate and conduct comprehensive analysis of threat data obtained from classified, proprietary, and open source resources to provide indication and warnings of impending attacks against NRC unclassified networks.

3. Perform cyber and technical threat analyses of hostile nationstates, hacker groups, terrorist organizations and other bad actors able to do harm to NRC networks.

4. Conduct link analysis of technical data using software tools to identify trends in attacks, targeting, and timing of suspicious/malicious activity.

5. Produce situational, incidentrelated reports on cyber threats that could affect NRC networks. The DHS requirement for US-CERT reportable incidents are 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> from confirmed detection (as already mentioned elsewhere in the PWS, NRC Federal Personnel will report any incidents to US-CERT). Non-reportable incidents are typically completed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the event. The Incident Response template to be used is based on US-CERT required information and additional NRC-specific information. Once all the information is collected about an incident, it generally takes around 15 minutes to complete the template.

6. Assist the Government in tracking and reporting trends on Advanced Persistent Threat attacks and intrusion incidents.

7. Perform advanced analyses of potentially malicious activities that have occurred, or are believed to have occurred, on the NRC network.

8. Build, test, and deploy customized Intrusion Prevention System (IPS) signatures; and monitor logs, alerts, and automated reports from devices onto which those signatures are deployed.

9. Perform scripting as needed to output the results in a variety of formats (to include HTML, XML or other type most appropriate for the task) and to repurpose the results for reports targeting different technical levels (i.e. other analysts, management, etc.)

10. Maintain situational awareness of current activity and risks by mining open source and classified data sources and coordination with cyber experts, government and private sector Page 24 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 CSIRCs, law enforcement agencies, Counter Intelligence analysts, and other representatives from partner government agencies.

11. Leverage all source intelligence to develop improved information on cyber threats and to perform advanced technical analysis on incidents that occur on the NRC Enterprise.

12. Analyze and report on unique attack vectors, emerging cyber threats, new vulnerabilities, and current trends used by malicious actors.

13. Develop and actively manage network and intelligence collection efforts to address current NRC collection priorities and requirements.

14. Assist the Government with dissemination of cyber threat information to senior management, security personnel, and the Intelligence, Law Enforcement, and Computer Network Defense communities (e.g. other agency SOCs, CYBERCOM, etc.).

15. Prepare briefing materials and conduct threat briefings for NRC leadership as needed.

16. Maintain Government owned databases to catalog and track ongoing threats to the NRC Enterprise.

17. Contribute to NRC working groups, task forces, and committees and provide relevant information to help address national objectives.

C.4.2.2.4 Incident Assessment and Response Services In coordination with NRC Offices, contractors, and other organizations within and outside of NRC the Contractor shall assess, respond, and recover the NRCs affected services from any NRC computer security incident; and coordinate legal issues that may arise during incidents. To address these requirements, the Contractor shall:

1. Act in accordance with all of the incident response requirements throughout this BPA Call.

2. Adhere to any and all CONOPS, SOC procedures and guidance (NIST and NRC Security Policy), as well as response deadlines for OMB and DHS data calls, when performing Incident Response.

3. Escalate an incident as determined by the SOC SOPs to a cognizant organization.

4. Coordinate incident analysis, response, and communications within the NRC SOC.

5. Travel with minimal notice to remote facilities to provide incident assessment and response services.

6. Utilize the incident tracking system to track the incident from cradle to grave.

7. Collect any information (logs, packet capture or PCAP, hard drive images) that will be used for analysis.

8. Provide daily reports until closure and after-action reports during and following an incident, compromise, exercise, or major event.

9. Maintain knowledge and compliance with the rules of collecting evidence and documentation for Law Enforcement.

All after-action or lessons learned reports to the BPA Call COR shall be in business language and effectively communicate the effect on the mission; what assets were targeted; was the adversary successful in their attempt; the adversary motivation (if possible); the plan to recover, mitigate the issues, and continue the mission; and the criteria used to determine systems were no longer compromised. Additionally, Lessons Learned shall be documented after every major incident and as required by NRC incident reporting policies.

From a technical perspective, NRC currently has Continuous Diagnostic Monitoring (CDM)

Support provided through DHS. In addition, NRC's Archer and Fidelis security tools have onsite support through a separate contract. Finally, NRC will be obtaining security tool support at least Page 25 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 partially through the GLINDA SNCC BPA Call Awardee. NRC reserves the right to add and/or remove technologies during the Period of Performance.

For major incidents, NRC has traditionally used the reporting guidelines defined by US-CERT based as follows:

1. An incident that is reported to US-CERT because the security event impacted the Confidentiality, Integrity or/or Availability (CIA) of NRC host(s) and/or service(s).

Examples: A web server is compromised, defaced and/or made unavailable; DNS services experience a Denial of Service (DoS) attack impacting external customers. The impact of such an incident is classified as External/Critical.

2. An incident that causes a complete and immediate work stoppage affecting a Critical Function or Critical Infrastructure component such as a primary business process or a broad group of users (at least 25), an entire site, building, department, floor, branch, line of business, or external customer. No workaround is available. The impact of such an incident is classified as Internal/Critical.

Examples: Firewall outage; web proxy or VPN outage; security violation (e.g., denial of service, port scanning).

3. An incident that affects a business process in such a way that business functions are severely degraded, multiple users (10 or more) are impacted, a key customer is affected, or a Critical Function is operating at a significantly reduced capacity or functionality. A workaround may be available; however, the workaround is not easily sustainable.

Examples: Major data/database or application problem (e.g., email gateways/Internet mail flow); email system is performing slowly, but workload is manageable. The impact of such an incident is classified as High.

C.4.2.2.4.1 OnSite and Off-Site Incident Response As part of its incident response services, the Contractor shall provide the following on-site services:

1. Work on-site with entities inside and outside of NRC to respond to a NRC incident - these entities may include CSIRT, system owners, Law Enforcement (i.e. OIG, Federal Bureau of Investigation (FBI)), commercial organizations, or other Government Agencies.

2. Work offsite with remote NRC and nonNRC entities to respond to an incident impacting NRC - these entities may include system owners, law enforcement organizations, commercial organizations, or other Government Agencies. The off-site locations would be NRC regional locations located throughout the United States. Historically, visits to off-site locations are rare, occurring once or twice a year at the most.

3. Apply expertise to assess damage, mitigate, and recover from an incident.

C.4.2.2.4.2 Incident Analysis The Contractor shall analyze all of the artifacts from an intrusion to establish a timeline, determine the origin of the intrusion, identify what actions were taken to make the intrusion successful, determine the motivation (what the actor was after), develop a mitigation plan, and recover from the incident.

Page 26 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.4.2.2.4.3 Counter Measure Coordination The Contractor shall work with the BPA Call COR and appropriate organizations to implement any and all mitigation and recovery actions. All changes to a production environment shall go through the appropriate Change Management process and be approved by the BPA Call COR prior to implementation.

C.4.2.2.5 SOC Operations Service Deliverables The Contractor shall provide the deliverables listed in the following table. All deliverables shall be submitted in Microsoft Word or Excel formats via email to the BPA Call COR unless otherwise designated by the BPA Call COR during execution of the BPA Call.

Deliverable Due Date Daily: Provided every business day by 10:00 a.m. for the previous day SOC Operational Daily Status Report for the NRC NOC/SOC operations.

The Daily Operational Report is a summary of the security log and review checklists, in addition to other activities that took place during the day.

Specifically, the SOC Operational Daily Status Report includes:

o Security Incidents detected or reported within the past 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> o Security device outages o Vulnerability advisements o Alerts o Intrusion detection signatures o Threat bulletins released in the previous 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> o Report shall include:

Open date Daily Closed date Operational Incident description Report Action taken Resolution Information type United States Computer Emergency Readiness Team (US-CERT) incident number, US Cert category, User information Source and destination of hostname or IP address, if system was isolated, Whether system was pulled for NRCs Office of the Inspector General (OIG) forensics, Date and time of OIG pickup (if applicable)

Security event analysis results in accordance with the current Federal requirements and NRC requirements and guidelines Weekly Provided every Wednesday by 10:00 a.m. for the previous 5 business days Operational SOC Operational Weekly Status Report providing the operational status of Report the SOC and the major task areas associated with this BPA Call Page 27 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Deliverable Due Date Cumulative SOC Operational Quarterly Report within five (5) business days following the end of each quarter that includes:

o Number of incidents broken out by type and Component o Incident trending by type o Quarterly costs of incident response captured through manhours and remediation costs per system to be determined on each incident. This shall be further broken down by Component cost contributions o Percentage of incidents mitigated through the IDC (intrusion defense Quarterly chain) based on internally-developed indicators-of-compromise in relation Operational to indicators-of-compromise obtained from external sources Report o Number of IDC indicators created o Incident life cycle response to resolution time. This shall be broken out to reflect wait time on Office/Region response and the time the NRC SOC spent o US-CERT reportable incident summaries NRCs responses o Major deployment of new systems o Tool performance/use including ongoing evaluation of existing and new tool performance to identify the effectiveness of tools for cost comparison and other metrics Ad hoc reports, as requested related to any and all operating metrics. If Operational workload is impacted, the Contractor shall notify the BPA Call COR, who will Ad Hoc decide which activity takes precedence.

Report OMB and DHS Data Calls will be responded to according to deadlines set by the BPA Call COR Draft: Thirty (30) business days prior to process change implementation or Standard effective date Operating Government Comments: Provided within ten (10) business days after receipt Procedure of draft Updates Final: Ten (10) business days prior to process change implementation or effective date C.4.2.3 Support Area #3: Cybersecurity Event Communications and Coordination The Contractor shall perform communications and coordination activities across the Agencys security functions as described in more detail in the following sub-sections.

C.4.2.3.1 Information Security Incident Coordination Information security incident response is a critical NRC SOC function that includes the technical expertise for the SOC to manage, coordinate response and remediation communications, document, and report on NRC information security incidents. To address the Agencys information security incident response requirements, the Contractor shall:

1. Provide 6:00 a.m. - 6:00 p.m. Monday - Friday business hour incident response expertise with after-hours on-call support and include an option for 24x7x365 incident response management if requested by the BPA Call COR.

2. Conduct coordinated computer security incident management and response to meet reporting requirements to USCERT, in accordance with FISMA and NRC and DHS policies.

Page 28 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

3. Conduct research on threats, assess the situation, determine relevance to the NRC environment, provide security situational awareness, and coordinate with the BPA Call COR and their designees as necessary.

4. Adhere to the NRC Incident Response Plan and SOC SOPs, as applicable.

5. Coordinate and advise on incident response actions taken by other NRC Offices for incidents affecting their areas of responsibility.

6. Assist the designated NRC personnel in managing incident tracking, workflow, and reporting.

7. Assist security investigations by applying asset criticality, identity, vulnerability information, and the location of sensitive digital assets.

8. Serve as the focal point in collaboration with the Agencys Security Operations Branch (SOB) for determining whether an incident can be investigated.

9. Collect, document, maintain chainofcustody rules, and preserve information security incident response incident evidence.

10. Interview individuals involved in an information security incident.

11. Perform investigations to identify incident root cause or source, extent of damage, and recommended countermeasures.

12. Prepare reports describing incident investigations.

13. Make recommendations to prevent, disrupt, reduce, bypass and correct conditions of possible future similar incidents.

14. Assist in recovery tasks stemming from cyber security incidents.

15. Provide incident response status reporting as required.

C.4.2.3.2 Centralized NRC Security Incident Management Coordination The Contractor shall execute security incident related communications and provide the mechanisms for coordinating NRCs response activities. To accomplish this the Contractor shall:

1. Serve as the central point of contact and communications for all unclassified NRC infrastructure information security incidents.

2. Keep the designated NRC personnel and other key stakeholders informed of matters concerning the NRC security posture.

3. Escalate response activities and notifications based on NRC response procedures.

4. Maintain routine communication mechanisms, including a daily NRC SOC status call, incidentspecific conference calls, retrievable customized online reports, and email and ticket notifications, in order to share information with NRC Government leads.

5. Coordinate, through the BPA Call COR, incident responses within NRC and external entities, including:

a. USCERT

b. NRC Privacy Officer

c. NRC OCIO/ITSDOD/Security Operations Branch (SOB)

d. NRC Office of the Inspector General (OIG)

6. Serve as an advisor as needed to NRC Government personnel who represent NRC to external Government Agencies and National Security forums and discussions.

7. Perform NRC SOC incident response to ensure remediation occurs for any successful phishing attacks.

8. Coordinate, through the BPA Call COR, with other NRC Offices on planning and executing cybersecurity incident remediation actions.

Page 29 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.4.2.3.3 Incident Response Testing The Contractor shall participate in discrete testing of various aspects of the Agencys incident response capabilities on a monthly, quarterly, bi-annual and annual basis. To accomplish this, the Contractor shall:

Coordinate with the BPA Call COR and other vendors supporting the Agencys cyber functions to plan for the execution of incident response testing and related exercises.

Execute Agency defined tests and exercises to determine the NRCs incident response effectiveness across the response lifecycle.

Employ, where practical available automated mechanisms to more thoroughly and effectively test/exercise the Agencys incident response capabilities.

Analyze test/exercise results and findings to identify opportunities to improve the Agencys response capabilities, harden the Agencys computing and network architectures, and improve future tests and exercises.

C.4.2.3.4 Continuity of Operations (COOP) Coordination To help address the Agencys COOP related planning, testing, activation, and delivery, the Contractor shall work in close collaboration with a range of stakeholders to help ensure the Agencys SOC monitoring and analysis services are maintained at required levels identified in Agency disaster recovery (DR) and COOP plans and aligned with the plans and objectives of broader Agency COOP planning activities. To address this objective, the Contractor shall:

1. On a quarterly basis and as directed, review and refine the SOC monitoring and analysis COOP recovery and delivery plans in conjunction with the BPA Call COR, vendor(s) and/or other stakeholders responsible for SOC tool/system availability.

2. Review and recommend alternative coverage and staffing approaches as applicable based on efficiency and/or effectiveness opportunities uncovered during plan development and testing.

3. Maintain SOC COOP documentation, related information, and content sites/services in conjunction with other providers responsible for SOC tools and/or system COOP plans.

4. Assess opportunities to enhance the agencys risk posture and/or reduce the cost of existing SOC related monitoring and analysis capabilities used to meet the Agencys requirements.

5. Participate in annual and semi-annual (twice a year) off-hour/weekend testing of all DR plans.

6. Participate in Agency ad-hoc DR planning exercises including tabletop, parallel, and other testing approaches.

7. Develop and, where accepted, implement DR/COOP related recommendations based on testing outcomes.

8. Provide COOP activation coordination support for the SOCs services consistent with Agency procedures for activation and restoration of services.

9. Initiate SOC services related communications procedures inclusive of call tree management and control protocols.

10. Execute COOP procedures consistent with current plans and capabilities established for the SOC.

11. Remediate/triage coverage and services availability as required.

Page 30 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

12. Execute restoration of resources to the Agencys existing or new SOC facility consistent with current plans and agency capabilities.

C.4.2.3.5 Cybersecurity Communications and Coordination Deliverables The Contractor shall provide the deliverables listed in the following table. All deliverables shall be submitted in Microsoft Word or Excel formats via email to the BPA Call COR unless otherwise designated by the BPA Call COR during execution of the BPA Call.

Deliverable Due Date Daily: Provided every business day by 10:00 a.m. for the previous day Status report for all active incidents describing current security posture of Incident the Agency as well as the specific activity status of each incident to include:

Status o Incident summary Report o Previous actions taken o Pending actions, their expected timing, and who is responsible for executing the action C.4.2.4 Support Area #4: Transition and Associated Management Upon initiation of the BPA Call, the Contractor shall participate in the transition of the existing services of similar scope provided under the NRCs current contract(s).

Service / Delivery Objectives The Contractors Transition and Associated Management services shall support the successful transition of existing services, capabilities, and agreements. The NRC defines successful transition as the actual performance of seamlessly continuing to provide services while identifying and capturing opportunities to increase service effectiveness, as well as leveraging the transition as an opportunity to make systemic changes to service delivery where required.

Success in this specific context is defined as continuing to deliver existing IT services at the SLRs described in this document with no downtime (unless scheduled and previously approved by the BPA Call COR) once the incumbent ceases operation of the existing IT service in question.

There may be a Transition-In Period and a Transition-Out Period, depending on incumbencies.

It is anticipated that the BPA Call will be awarded no later than September 30, 2017. The start date of December 4, 2017 is an estimated date work/transition will commence under the BPA Call due to NRC required security processing for Contractor personnel. The Transition-In Period is anticipated to be approximately the first sixty (60) calendar days after award of the BPA Call. Depending upon procurement time, the Transition-In Period may be a shorter length of time, if Transition-In cannot begin by November 30, 2017.

At the completion of the transition from the incumbent Contractor, the Contractor shall assume full responsibility for performance of this BPA Call.

Required Services The Contractor will be expected to cooperate with the incumbent Contractor to develop a seamless transition from the incumbent contract to this BPA Call in accordance with FAR clause 52.237-3 in the incumbent.

Page 31 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.4.2.4.1 Transition-In Responsibilities Ongoing tasks that fall within the scope of this BPA Call but are currently provided under existing Indefinite Delivery Indefinite Quantity (IDIQ) or other vehicles will be transitioned to this BPA Call. Accordingly, the Contractor shall establish a transition team to implement a standard transition process to be used during the start-up period and to prepare for the transition of underlying support areas. The Contractor shall provide advisory and technical expertise to align at a minimum the following transition responsibilities:

Over-arching transition management including coordination, risk management, problem resolution, and reporting of status on transition activities Human capital transition management including on-boarding, clearance processing, incumbent personnel transfer, and training as required Work-stream management including establishing processes and mechanisms for knowledge and skills transfer as well as identifying and implementing straightforward process improvements The Contractor shall provide a transition team to address the requirement that is experienced in transitioning mission critical IT services and the equipment that support such services. To protect the incumbent and NRC, transition team members will be required to sign personal Non-Disclosure Agreements (NDAs) with the incumbent and its sub-contractors so that any incumbent propriety or business sensitive information is appropriately protected.

C.4.2.4.2 Reserved C.4.2.5 Security Compliance and Related Requirements The Contractor shall deliver its services in compliance with the Agencys security requirements described in more detail below. These security requirements are critical to the success of the Agency. However, compliance with these requirements is expected to be achieved within the respective Tasks of this PWS that they apply to. Additionally, to help ensure these requirements are complied with and appropriately integrated into the PWS Tasks, the Contractor shall:

Designate a specific Security Compliance Lead to oversee implementation and maintenance of the security requirements identified in this section Develop and utilize specific procedures that ensure the requirements are met when performing their services The security compliance and related requirements are described in more detail the following sub-sections.

C.4.2.5.1 Commitment to Protect Non-Public Information Contractor shall:

1. Ensure strict confidentiality of all Classified Information, Safeguards Information (SGI),

Sensitive Unclassified Non-Safeguards Information (SUNSI), and Controlled Unclassified Information (CUI) information/data that is provided by the Government during the performance of the contract.

Page 32 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

2. Be responsible for coordinating with the NRC Privacy Officer to ensure all applicable Federal privacy requirements are being met in accordance with NRC procedures.

3. Be responsible for coordinating with NRC CISO staff to ensure applicable federal security requirements are being met in accordance with Federal and NRC policies.

C.4.2.5.2 Position Sensitivity Designation The Contractor shall:

1. Identify all its personnel, subcontractor personnel, or consultants requiring NRC access approval and propose the level of Information Technology (IT) approval for each, using the NRC guidance in clause 4, SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (attached).

2. The Contractor shall ensure that all its personnel, subcontractor personnel or consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access using the guidance in clause 3, SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (attached).

C.4.2.5.3 Information Security Awareness and Role-Based Training The Contractor shall:

1. Complete NRC-provided mandatory security and privacy training prior to gaining access to NRC information systems and provide their completion certificate number to theBPA Call COR and Contractor. The training requirements are mandatory. Non-compliance may result in revocation of system access.

2. Complete annual security and privacy refresher training. NRC will provide notification and instructions on completing this training.

3. Maintain a listing by name and title of contractor personnel working under this BPA Call that has completed the mandatory training. The list shall be provided to the BPA Call COR upon request to satisfy Federal Information Security Management Act (FISMA) requirements.

4. Complete specialized IT security training based on the role-based requirements. The Contractor is required to report training completed to ensure competencies that address this training.

5. Ensure training hours satisfying any training requirements are submitted to the BPA Call COR upon completion of training.

C.4.2.5.4 Rules of Behavior The Contractor shall ensure that:

1. All personnel, including Subcontractor personnel, comply with the NRC Rules of Behavior (RoB).

2. All users of NRC IT resources read these rules and sign the accompanying acknowledgement form before accessing NRC data/information, systems and/or networks.

3. The acknowledgement is signed annually to reaffirm knowledge of, and agreement to adhere to the NRC RoB. These affirmations shall be provided to the BPA Call COR upon request.

Page 33 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

4. Contractor personnel with access to specific NRC systems sign additional Rules of Behavior specific to those systems.

Additionally, NRCs Information Security Team will verify non-government furnished equipment to ensure that it meets the required standards as defined in the Rules of Behavior policy.

C.4.2.5.5 Information Security and Privacy The Contractor shall:

1. Designate a specific person responsible for information security and have a segregated group with roles and responsibilities that will ensure compliance and oversight of IT security.

2. Ensure that its subcontractors and data transfer stakeholders (either internal or external to the Contractor firm) provide the same security and privacy protection where applicable. This requirement is important because in an age where business practices demand fast and easy transmission of information across borders - and the cloud - those very activities can easily run afoul of the laws, regulations, and restrictions governing data transfers, whether relating to consumer, customer, personnel, vendor, or other data.

3. As new Federal security requirements or updates to existing requirements are made, apply those that are pertinent to the systems and processes they use in support of the NRC.

4. Properly protect and handle information in accordance with the type of the information

5. Only use NRC approved methods to send and receive information considered sensitive or classified.

Additionally, written approval from the BPA Call COR is required prior to the use or storage of NRC Sensitive Information or sharing of NRC Sensitive Information by the Contractor with any subcontractor, person, or entity other than NRC. Requests for approval should be submitted to the BPA Call COR. At the BPA Call CORs discretion, the request will be forwarded to the NRC Chief Information Officer (CIO) or CIOs delegate for further action.

C.4.2.5.6 Controlling System Access The Contractor shall:

1. Track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems, etc.) according to NRCs policy and the formal determination of which persons, computers, and applications have a need and right to access critical assets based on an approved classification. A combination of Remedy and Space Property Management System (SPMS) will be used for asset management. System Center Configuration Manager (SCCM) as well as NRCs Enterprise Development and Test Environment (EDTE) will be used for patch management. From a Continuous Diagnostic Monitoring (CDM) perspective, ForeScout CounterACT is used for hardware asset management and McAfee Application Control is used for software asset management.

2. Use PIV credentials in accordance with NIST FIPS 201, Personal Identity Verification (PIV) of all Federal personnel and Contractors to provide user-based access to information systems.

3. Ensure that all Contractor personnel accessing systems processing NRCs information have user-based PIV card access Page 34 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

4. Ensure the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks shall be enforced by the system through assigned access authorizations.

5. Ensure separation of duties for Contractor systems used to process NRC information is enforced by the system through assigned access authorizations.

C.4.2.5.7 Security Incident Response Consistent with Federal Government Reporting requirements, all incidents must be reported to the United States Computer Emergency Readiness Team (US-CERT). To comply, the Contractor shall:

1. Report any information security incident to the BPA Call COR and the NRC designated point of contact within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of discovery. The NRC designated POC is part of the NRC OCIO CERT Activity. NRC Federal Personnel will perform initial contact with US-CERT regarding incidents. NRC will report information security incident that also becomes a privacy incident when the incident involves the suspected or actual loss of PII, to the United States Computer Emergency Readiness Team (US-CERT) within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of discovery.

2. Ensure any incident the US-CERT and/or NRC designates as a major incident shall be reported to the BPA Call COR and the NRC designated point of contact, who will then ensure it is reported to Congress within 7 days of discovery.

3. Handle incidents per federal, department and NRC regulations. Incident reports to the NRC designated point of contact will be completed in alignment with federal, department, and NRC regulations.

4. Establish an incident response team that will investigate, manage and report incidents internal to the Contractor security boundaries.

5. Facilitate and manage the processing of all security incidents for the NRC enterprise.

6. Collaborate with other contractors for incidents that cross contract boundaries.

7. Notify the BPA Call COR within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the discovery or disclosure of successful exploits of the vulnerability, which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system).

C.4.2.5.8 Security Standards Where applicable, the Contractor shall:

1. Develop and apply appropriate security controls to meet NRC information security requirements, as defined in NRC Security Standards Table 1 below. The publicly available NRC standards can be accessed utilizing the accession numbers at, http://www.nrc.gov/reading-rm/adams.html. Non-publicly available standards will be provided by the BPA Call COR upon request.

2. Coordinate with the BPA Call COR to assess and establish/update each of the above listed criteria within 30 days of BPA Call award or when a significant change has been made to its system.

3. Coordinate with the BPA Call COR to assess and recommend alternative ways to improve NRC information security requirements as defined in NRC Security Standards.

4. Coordinate with the BPA Call COR to develop and establish/update strategy for reducing legacy systems or applications risk to an acceptable levels, as defined and approved by the NRC CIO.

Page 35 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.4.2.5.9 System Security Requirements All information systems that input, store, process, and/or output Government information must be provided an Authority to Operate (ATO) signed by the NRC CIO, or Designated Approving Authority. Contractor personnel will be responsible for maintaining current documentation in support of maintaining ATOs, but they may become primarily responsible for ATOs during the Period of Performance. Where applicable, the Contractor shall:

1. Adhere to current NRC policies, procedures, and guidance for security Assessment and Authorization (A&A) activities.

2. Provide access to the Federal Government, or the Governments designee, when requested, in order to verify compliance with the requirements for an Information Technology security program. For systems not located on NRC premises, the Government reserves the right to conduct on-site inspections. The Contractor shall make appropriate personnel available for interviews and provide all necessary documentation during this review.

3. Take an active role in the support of the Assessment and Authorization lifecycle for all systems the Contractor supports. This includes attendance at all appropriate meetings, e.g.,

kickoff, findings, etc.; development of corrective action plans, remediation of findings, as well as providing reports to NRC.

4. Support the NRC continuous monitoring methodology based on NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. The Contractor shall continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. All Contractor systems shall participate in Information Security Continuous Monitoring (ISCM) and Reporting as defined in the NRC IT Policy.

Additionally, if the Contractor is developing an NRC information system, system component, or information system service, the Contractor shall also:

1. Follow a documented development process that: (i) explicitly addresses security requirements; (ii) identifies the standards and tools used in the development process.

2. Produce design specification and security architecture that is consistent with and supportive of NRC security architecture and accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components.

C.4.2.5.10 Interconnection Security Agreements The Contractor is not responsible for accrediting system interfaces. Any Interconnection Security Agreements (ISA) between NRC and nonNRC information systems shall be established only through controlled interfaces and via approved service providers. The controlled interfaces shall be accredited at the highest security level of information on the network. Connections with other Federal agencies shall be documented based on interagency agreements; memoranda of understanding, service level agreements or interconnect service agreements.

C.4.2.5.11 System Authorization and Assessment Where applicable, the Contractor shall:

Page 36 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

1. Comply with Authority To Operate (ATO) requirements as mandated by Federal laws and policies, including making available any documentation, physical access, and logical access needed to support this requirement.

2. Coordinate with the NRC business owner to create, maintain, and update all applicable ATO documentation as defined by NRC Information Security procedures.

3. Allow NRC personnel (or NRC CISO-designated third-party contractors) to conduct Security Assessment activities to include control reviews in accordance with NIST SP 800-53/NIST SP 800-53A and NRC procedures and standards.

4. Be responsible for mitigating all applicable security risks found during the ATO process and continuous monitoring activities.

Prior to authorizing a system or application using public cloud services, the NRC will work with the Contractor to implement customer and shared responsibility controls and conduct a thorough review of the security assessment package to determine that it is complete, consistent, and compliant with FedRAMP requirements. To address this, the Contractor shall:

1. Give the agency access to the Contractors facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location.

2. Submit A&A packages to the BPA Call COR at least 90 days before the ATO expiration date for security review and verification of security controls.

The 90 day security review process is independent of the system production date and therefore it is important to build the security review into project schedules. Security reviews may include onsite visits that involve physical or logical inspection of the Contractor environment to ensure controls are in place. ATO extensions will only be granted in extenuating circumstances.

C.4.2.5.12 Security Controls Compliance Assessment Where applicable, the Contractor shall:

1. Not publish or disclose in any manner, without the COs written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.

2. Afford the Government access to the Contractors facilities, installations, technical capabilities, operations, documentation, records, and databases within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of notification. The program of inspection shall include, but is not limited to authenticated and unauthenticated:

a. Operating system/network vulnerability scans,

b. Web application vulnerability scans,

c. Database application vulnerability scans Automated scans can be performed by Government personnel, or personnel acting on behalf of the Government, using Government operated equipment, and Government specified tools.

C.4.2.5.13 Common Security Configurations Where applicable, the Contractor shall:

Page 37 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

1. Apply approved security configurations standard to all IT system components that is used to process information on behalf of NRC.

2. Configure its computing systems that contain NRC data, and using NRC approved or established configuration settings. NRC order of precedence for the applicability of configuration standards is as follows:

a. NRC Standards.

b. Defense Information Systems Agency (DISA) finalized standards, checklists, and guidance.

c. Center for Internet Security (CIS) finalized Benchmarks.

d. Vendor provided guidance.

e. Industry Best Practice.

3. Ensure consistent quality is built into security compliance and deviation process for managing (track, report on, correct) the security configuration of laptops, servers, workstations and network infrastructure devices.

4. Work with the NRC and its other contractors to acquire, interface or integrate NRC and the DHS Continuous Diagnostics and Mitigation (CDM) security vulnerability monitoring and assessment tools within their system boundary to provide agency-wide view of its security risk posture.

5. Ensure IT applications operated on behalf of NRC are fully functional and operate correctly on systems configured in accordance with the above configuration requirements.

6. Use Security Content Automation Protocol (SCAP)-validated tools to ensure its products operate correctly with baseline configurations and do not alter applied settings.

7. Test applicable product versions with all relevant and current updates and patches installed.

8. Ensure currently supported versions of IT products meet the latest baseline major version, and subsequent major versions.

9. Ensure IT applications designed for end users run in the standard user context without requiring elevated administrative privileges.

10. Ensure hardware and software installation, operation, maintenance, update, and patching will not alter the configuration settings or requirements specified above.

11. Ensure servers, desktops, and laptops operated on behalf of NRC (1) include Federal Information Processing Standard (FIPS) 201-compliant (see http://csrc.nist.gov/publications/PubsFIPS.html), Homeland Security Presidential Directive 12 (HSPD-12) card readers; and (2) comply with FAR Subpart 4.13, Personal Identity Verification (PIV).

12. Ensure Microsoft Windows-based software uses the Windows Installer Service for installation to the default appropriate operating system Program Files directory, and is able to silently install and uninstall, under central administrator control.

13. Ensure that all subcontractors (at all tiers) performing work under this call comply with the requirements contained in this BPA Call.

14. Ensure most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks is enforced by the system through assigned access authorizations.

15. Ensure separation of duties for Contractor systems used to process NRC information are strictly enforced through assigned access authorizations.

16. Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, workstations and network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

17. Ensure all IT components and applications are in compliance with approved configuration standards or have an approved deviation from standards.

Page 38 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

18. Ensure that systems components and applications are fully functional and operate correctly as intended on systems with the security configuration checklists, guidelines or standards approved by the NRC.

19. Only allow fully vendor supported hardware and applications with approved security configurations.

Information systems provided to the NRC by contractors that process CUI shall meet the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations2. The Contractor shall work with the NRC to identify security requirements for detailed description of the systems security architecture, controls, and/or the provision of supporting test data.

C.4.2.5.14 Security for Encryption Device encryption shall occur before the use of a laptop computer/mobile device. The required encryption software and tools will be provided by NRC. Where applicable, the Contractor shall:

1. Use encryption that complies with FIPS 140-2, Security Requirements for Cryptographic Module, (as amended) to protect all instances of NRC sensitive information during storage and transmission.

2. Verify that the selected encryption product has been validated under the Cryptographic Module Validation Program (see http://csrc.nist.gov/cryptval/) to confirm compliance with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the BPA Call COR.

3. Use the Key Management Key (see Chapter 4 of FIPS 201) on the NRC Personal Identity Verification (PIV) card; or alternatively, The Contractor shall establish and use a key recovery mechanism to ensure the ability for authorized personnel to decrypt and recover all encrypted information. The Contractor shall notify the BPA Call COR of personnel authorized to decrypt and recover all encrypted information.

4. Securely generate and manage encryption keys to prevent unauthorized decryption of information in accordance with FIPS 140-2.

5. Ensure the encryption standard referenced in section 1.1.3 is applied to all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive NRC information.

C.4.2.5.15 Patching Where applicable, the Contractor shall:

1. Consistent with Department of Homeland Security (DHS) Binding Operational Directive 15-01, Critical Vulnerability Mitigation Requirements for Federal Civilian Executive Branch Departments and Agencies Internet-Accessible Systems, patch all critical and high vulnerabilities immediately or, at a minimum, within 30 days of patch release.

2. Apply patches to all systems, even systems that are properly air gapped or are physically isolated from unsecured networks.

2 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf Page 39 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

3. Develop and apply appropriate automated patching solution to meet NRC information security requirements where practical, as defined and approved by the NRC Chief Information Officer (CIO).

C.4.2.5.16 Tracking and Correcting Security Deficiencies Where applicable, the Contractor shall:

1. Track and correct any applicable information security deficiencies, conditions, weaknesses, findings, and gaps identified by audits, reviews, security control assessments, and tests, including those identified in:

a. Chief Financial Officer (CFO) audits

b. FISMA audits

c. NRC evaluations and tests

d. Inspector General (IG) audits and reviews

e. A-123 audits

f. NRC Security Operations Center (SOC) continuous monitoring activities such as, but not limited to, vulnerability and compliance scanning of all the NRC information systems

g. Other applicable reviews and audits

2. Mitigate critical and high-risk deficiencies within 30 days; moderate-risk deficiencies within 90 days, and low risk deficiencies within 120 days from the date deficiencies are formally identified.

C.4.2.5.17 Security Tools Implementation Where applicable, the Contractor shall coordinate with the BPA Call COR, staff, and other contractors to understand their specified requirements in administering, managing, configuring, maintaining, acquiring, interfacing, integrating and/or tuning NRCs defined security tools devices and application systems, servers and sensors for systems/applications they host or maintained.

C.4.2.5.18 Return of NRC and NRC-Activity-Related Information The Contractor shall coordinate with BPA Call COR to ensure return of all original (and at least one duplicate copy of those information types specified by NRC) of all NRC-provided and NRC-Activity-Related Information, (including but not limited to all records, files, and metadata in electronic or hardcopy format), including but not limited to any of the following:

Provided by NRC or obtained by the Contractor while conducting activities in accordance with the contract Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity Received from the Contractor by any other related organization and/or any other component or separate business entity.

C.4.2.5.19 Verified Secure Destruction of NRC and NRC-Activity-Related Information The Contractor shall comply with NRC secure destruction processes. The Contractor shall coordinate with the BPA Call COR to execute secure destruction of all active and archived originals and/or copies of all NRC and NRC-activity-related files and information, (including but Page 40 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 not limited to all records, files, and metadata in electronic or hardcopy format), by procedures approved by NRC in advance. NRC and NRC-activity-related files includes but is not limited to:

Provided by NRC or obtained by the Contractor while conducting activities in accordance with the contract Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity Received from the Contractor by any other related organization and/or any other component or separate business entity.

C.4.2.5.20 Return of NRC-Owned or Leased Computing Equipment In accordance with NRC policies and federal government regulation, the Contractor shall coordinate with BPA Call COR to return all NRC-owned or leased computing and information storage equipment within a time period approved by NRC.

C.4.2.6 Section 508 - Information and Communication Technology Standards C.4.2.6.1 General Requirements In order to help the NRC comply with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d) (Section 508), the Contractor shall ensure that its deliverables (both products and services) under this task order are 1) in conformance with and 2) support the requirements of the Standards for Section 508 of the Rehabilitation Act, as set forth in Appendices A, C and D of 36 CFR Part 1194, as revised 1/18/2017. See https://www.access-board.gov/guidelines-and-standards/communications-and-it/about-the-ict-refresh/final-rule.

C.4.2.6.2 Applicable Standards The following provisions in 36 CFR Part 1194 are applicable to this BPA Call:

Appendix A to Part 1194 - Section 508 of the Rehabilitation Act: Application and Scoping Requirements o 508 Chapter 1: Application and Administration E101 General E102 Referenced Standards E103 Definitions o 508 Chapter 2: Scoping Requirements E201 Application E202 General Exceptions E203 Access to Functionality E204 Functional Performance Criteria E205 Content E206 Hardware E207 Software E208 Support Documentation and Services Appendix C to Part 1194 - Functional Performance Criteria and Technical Requirements o Chapter 3: Functional Performance Criteria 301 General Page 41 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 302 Functional Performance Criteria o Chapter 4: Hardware 401 General 402 Closed Functionality 403 Biometrics (maybe) 404 Preservation of Information Provided for Accessibility 405 Privacy 406 Standard Connections 407 Operable Parts 408 Display screens 409 Status Indicators 410 Color Coding 411 Audible Signals 412 ICT with Two-Way Communication (maybe) 413 Closed Caption Processing Technologies (maybe) 414 Audio Description Processing Technologies (maybe) 415 User Controls for Captions and Audio Descriptions (maybe) o Chapter 5: Software 501 General 502 Interoperability with Assistive Technology 503 Applications 504 Authoring Tools (maybe) o Chapter 6: Support Documentation and Services (maybe) 601 General 602 Support Documentation 603 Support Services o Chapter 7: Referenced Standards 701 General 702 Incorporation by Reference Appendix D to Part 1194 - Electronic and Information Technology Accessibility Standards as Originally Published on December 21, 2000 Refer to Chapter 2 (Scoping Requirements) first to confirm what provisions in Appendix C apply in a particular case.

Use of Appendix D for conformance by the Contractor, when permitted by the revised 508 standards, shall only be with case-by-case written permission from the BPA Call COR.

C.4.2.6.3 Exceptions Use of the Legacy ICT exception (section E202.2 of 36 CFR Part 1194) shall only be permitted on a case-by-case basis and with approval from the BPA Call COR.

The Contractor must maintain and, when requested by the BPA Call COR, provide access to any documentation necessary to support use of the following general exceptions to the 508 standards in the delivery of the Contractors products and services under this BPA Call:

Undue Burden or Fundamental Alteration (section E202.6)

Best Meets (section E202.7)

Page 42 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Note: The Undue Burden exception is rare and is unlikely to be applicable. If the Contractor thinks that it may apply then written approval must first be requested and obtained from the BPA Call COR.

Examples of documentation that may be needed include, but are not limited to:

Documentation of the basis for an undue burden or fundamental alteration (see section E202.6)

Documentation on a) the non-availability of conforming ICT, including a description of market research performed and which provisions cannot be met, and b) the basis for determining that the ICT to be procured best meets requirements in the 508 standards consistent with the NRCs business needs.

When an Undue Burden, Fundamental Alteration or Best Meets exception applies in the delivery of the Contractors products and services under this BPA Call, the Contractor shall propose and obtain BPA Call COR approval for development and use of an alternative means for providing individuals with disabilities access to and use of information and data.

All electronic content deliverables (including those in 4.2.1.6, 4.2.2.5, 4.2.3.5, and 4.2.4.3 of this PWS) under this BPA Call shall conform to section E205. However, all formal and final versions of electronic content that are documents (as defined in section E103.4) deliverables shall conform to section E205.4 unless the BPA Call COR gives specific approval.

C.4.2.6.4 Additional Requirements The Contractor shall ensure they do the following:

Address Section 508 standards requirements throughout product and service lifecycles.

Some example lifecycle activities include:

o Planning o Staff resource selection (do they have the needed experience, skills and understanding of how to address Section 508 requirements applicable to their role?)

o Requirements documentation o Market research for products and services o Alternatives analysis o Product design, development, configuration, testing and maintenance o Service design, development, maintenance and documentation o Document and Web content authoring, validation and publishing o Testing and validation o Product and service documentation and support Ensure that Contractor personnel have the knowledge, skills, and ability necessary to address the applicable revised Section 508 standards.

If and when the Contractor provides custom ICT development services pursuant to this BPA Call, the Contractor shall ensure the ICT products and services fully support the applicable revised Section 508 standards prior to delivery and before final acceptance.

If and when the Contractor provides installation, configuration or integration services for equipment and software pursuant to this BPA Call, the Contractor shall not install, configure Page 43 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 or integrate the equipment and software in a way that reduces the level of conformance with the applicable revised Section 508 standards.

If and when the Contractor provides ICT support services the services shall accommodate the communication needs of end-users with disabilities.

C.4.2.6.5 Clarification The following information is provided to highlight or clarify some requirements of the Section 508 standards:

The Section 508 standards apply when developing, procuring, maintaining, or using information and communication technology (ICT).

ICT is information technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content.

Examples of ICT include, but are not limited to: computers and peripheral equipment; information kiosks and transaction machines; telecommunications equipment; customer premises equipment; multifunction office machines; software; applications; Web sites; videos; and, electronic documents.

The use of an alternative design or technology that results in substantially equivalent or greater accessibility and usability by individuals with disabilities than would be provided by conformance to one or more of the requirements in Chapters 4 and 5 of the Revised 508 Standards is permitted. The functional performance criteria in Chapter 3 of the Revised 508 Standards shall be used to determine whether substantially equivalent or greater accessibility and usability is provided to individuals with disabilities.

Deliverables that are in Adobe Portable Document Format (PDF) shall conform to the requirement in E205.4 of the Revised 508 Standards and ISO 14289-1 (PDF/UA-1).

C.4.2.6.6 508-Specific Deliverables The following 508-specific deliverables may be applicable. The BPA Call COR will provide additional guidance regarding any Section 508 action items and deliverables as the topic arises during the Period of Performance.

Documentation to support use of 508 standards exceptions, such as market research documentation 508-specific test plans and test results documentation Documentation on accessibility and compatibility features of ICT (see section 602 in Appendix C of 36 CFR 1194)

ICT support services (including, but not limited to help desks, call centers, training services, and automated self-service technical support, as applicable to this task order) shall:

o Include information on the accessibility and compatibility features (see 602.2 in 36 CFR 1194) o Be provided directly to the user or through a referral to a point of contact and shall accommodate the communication needs of individuals with disabilities (see section 603.3 in 36 CFR 1194)

Page 44 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.4.3 Service Level Requirements The Contractor shall provide its services and associated technical and domain expertise in a manner that enables achievement of the Service Level Requirements described below. These objectives are intended to convey the outcomes the NRC desires as a result of successful support from the Contractor.

Acceptable Metric Method of Surveillance Quality Level Number of draft and final deliverables delivered to the Government late without <1 per month BPA Call COR reported number prior justification approval.

Number of Final deliverable errors (errors meaning technical inaccuracies and/or poor quality writing that interferes <3 per BPA Call COR reported number with consuming the deliverables content, deliverable as determined by the BPA Call COR) noted by Government and returned for correction Time to submit ticket for SOC related tools Measured by the BPA Call COR quarterly

<15 Minutes and/or systems outage from identification of through comparison of ticket data with tool average outage and/or system log reporting Percentage of days each month that each step of the Daily Security Log and Report Measured by the BPA Call COR monthly

>95%

Review Checklist is completed to the BPA through review of checklist log Call CORs approval Percentage of time SOC is staffed by one Measured Quarterly through random site or more individuals during on-site coverage >99% audits by BPA Call COR or designated NRC windows personnel Percentage of NRC Customer Service Center suspicious email tickets that result in Measured quarterly by the BPA Call COR log review, website blocking, and/or email >95% through comparison of vulnerability scan purge requests sent to system report to related tickets administrators within two hours Percentage of US-CERT reportable Measured quarterly by the BPA Call COR incidents reported to the designated NRC

>95% through review of Incident Response (IR)

SOC POC within 30 minutes of incident Tracking System reporting categorization.

Percentage of lessons learned exercises Measured Quarterly by the BPA Call COR conducted within 5 business days for >75% through comparison of IR Tracking System

'significant' incidents. Reporting to lessons learned exercises Measured by completion of annual incident Percentage frequency that annual incident response plan testing and training 100%

response plan testing and training occurs. (measurement conducted by the BPA Call COR)

C.5 REQUIRED PERFORMANCE METRICS Task or Metric Performance Acceptable Surveillance Incentive (Negative)

Deliverable Type Standard Quality Level Method Page 45 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Timeliness of Efficiency Deliverables 100% of the BPA Call 1% of the firm-fixed-price Deliverables shall be reports are COR portion of the invoice may be submitted in submitted on Tracking / deducted for every one (1) accordance time. Customer business day late, up to a with the Complaints maximum of 15% of the firm-delivery fixed-price portion of the requirements invoice. Notwithstanding the required by the foregoing, the Contractor PWS. may be terminated for cause if final deliverables are not provided by the due date.

Service Efficiency The Contractor As described As described 2% of the firm-fixed-price Level shall meet or by each by each portion of the invoice may be Requirement exceed the Service Level Service deducted for every one (1)

(SLR) Service Level Requirement Level business day late, up to a Compliance Requirements in this Requirement maximum of 15% of the firm-described in document. in this fixed-price amount of the this document. document. invoice. Notwithstanding the foregoing, the Contractor may be terminated for cause if final deliverables are not provided by the due date.

NOTE REGARDING ABOVE TABLE: Reports are not counted as late when, on a case by case basis, the BPA Call COR approves later report submission. Also, on a case by case basis, the BPA Call COR may elect to deem a SLR metric compliant even if the compliance number is not in alignment with the standards described in this PWS.

C.6 STAFFING/KEY PERSONNEL REQUIREMENTS C.6.1 Staffing All personnel performing work under this BPA Call shall have pertinent technical and professional experience by discipline and technical area. Experience in these disciplines and technical areas must be related to the design, analysis, engineering, operation, maintenance, and security of an Enterprise network and the duties of a Security Operation Center. It is the responsibility of the Contractor to provide personnel who have the required educational background, experience, security clearances (as applicable) and access authorization or combination thereof, to meet both the technical and regulatory objectives of the work specified in this BPA Call. The specific individuals and roles requiring a Top Secret clearance will be discussed and determined with the Contractor after BPA Call award. The NRC will pay for the Contractor to obtain a clearance. If the BPA Call COR declares that the person in question must have an active clearance on Day 1, then the person is not billable to the BPA Call while waiting to be cleared.

The number of Contractor personnel required will vary during the course of the BPA Call.

The Contractor may need to provide additional resources on a temporary basis to address specific events, such as malware resolution or forensics when directed by the BPA Call Page 46 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 COR. The Government reserves the right to review resumes for all proposed candidates for positions designated as key personnel and accept or reject any or all of the candidates.

The Contractor shall ensure that its personnel maintain any required professional certifications, accreditations, and proficiency relative to their areas of expertise. The Contractor shall retain documentation of such records. The Government will not pay expenses incurred by the Contractor or by individual Contractor personnel to meet professional certifications and accreditations requirement.

All Contractor personnel shall be fully proficient in the areas in which they work. All Contractor personnel shall routinely:

1. Keep current with advances in relevant technology and share this knowledge with the BPA Call COR

2. Act in a consultative manner, proactively searching for creative solutions and strategies

3. Respond promptly, professionally and courteously to Government requests for assistance and advice on inscope NRC cybersecurity topics

4. Freely provide knowledge transfer of work products and technology expertise associated with contracted services C.6.1.1 Staffing Requirements The Contractor shall provide staffing for the NRC SOC core functions in the following positions and Coverage. The Overall staffing level for the SOC is expected to include approximately two (2) Tier 1 staff, two (2) Tier 2 staff, and two (2) Tier 3 staff. Expected staffing levels represent only current estimates and are subject to change prior to and during the life of this BPA Call. In addition, two different Key Personnel roles cannot be shared by the same person. Outside of Key Personnel, NRC defers to the Contractor's expertise regarding the staffing approach they want to take.

SOC Functional On-Site Coverage On-Site On-Call Coverage On-Call Role Days/Hours Staffing FTE Days/Hours Staffing FTE Tier 1 Support Mon-Fri, 6AM to 6PM 2 N/A 0 Tier 2 Support Mon-Fri, 6AM to 6PM 2 N/A 0 Tier 3 Support Mon-Fri, 6AM to 6PM 2 365 Days x 24 Hours 1 C.6.1.1.1 Tier 1 Personnel Tier 1 Personnel are NOT Key Personnel. Tier 1 Personnel shall have demonstrated professional experience in network or UNIX/Linux system administration, software engineering, software development, and/or a bachelors degree. The personnel must possess:

Experience working with security methodologies and processes that touched upon Transmission Control Protocol / Internet Protocol (TCP/IP) protocols, email security, network monitoring, and incident response Experience providing analysis and trending of security log data from a large number of heterogeneous security devices Experience configuring a diverse array of technical security solution Page 47 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 C.6.1.1.2 Tier 2 Personnel Tier 2 Personnel are NOT Key Personnel. Tier 2 Personnel shall have demonstrated professional experience in incident detection and response, malware analysis, or cyber forensics, and a bachelors degree. Personnel must have extensive experience working with various security methodologies and processes; that touched upon TCP/IP protocols; experience configuring and optimizing various technical security solutions; extensive experience providing analysis and trending of security log data from a large number of heterogeneous security devices; and specialized professional experience in two or more of the following areas related to cybersecurity:

Vulnerability Assessment Continuous diagnostics and mitigation Intrusion Prevention and Detection Access Control and Authorization Endpoint Protection Application Security Protocol Analysis Firewall Management Incident Response Encryption Webfiltering Advanced Threat Protection Data Loss Prevention In addition to the on-site and on-call staffing, the NRC has included an optional CLIN for on-site After Hours security monitoring. This optional CLIN is in addition to the staffing requirements noted above for both on-site and on-call resources.

C.6.1.2 Key Personnel C.6.1.2.1 Key Personnel 1 The individual shall have demonstrated capabilities to analyze highly complex cybersecurity and network issues, recommend plans of action for SOC Contractor and SOC Government staff, and manage Contractor teams supporting resolution of these issues. This individual shall serve as the Contractors primary contact for the OCIO NRC SOC Government personnel and the NRC CISO.

The individual shall also ensure the Contractors performance complies with all BPA Call requirements and shall act as the primary point of contact for the work to be performed. The individual shall have sufficient corporate authority to direct, execute, and control all contractor personnel. The individual shall also ensure that all necessary operational personnel are available on call during nonworking hours to meet emergent requirements.

C.6.1.2.2 Key Personnel 2 Given the specific skills and experience required to manage transition as well as the expected workload of the lead individual, the NRC has identified the need for a designated role to address Page 48 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 the initial transition of the services from the incumbent to the Contractor. This individual shall act as the on-site coordinator and primary Government point of contact for transition and establishment of assets (if any), resources, and processes required to stand up its services for the NRC under this BPA Call.

In addition to the BPA labor category requirements, this individual shall possess previous experience with large-scale service and contract transition and demonstrated skill at working collaboratively with the Government to address opportunities and issues as they are identified during transition. It is expected that the requirement for this specific role will conclude upon successful conclusion of the phase-in period for this BPA call.

C.6.1.2.3 Key Personnel 3 The individual shall possess specialized professional experience responding to information system security incidents including skills in digital media forensic analysis. The individual shall also:

Use the agency furnished toolset to identify and determine root causes of incidents Provide required documentation and possible evidence to security investigators Lead incident remediation efforts. Specifically, the majority of the work is anticipated to be coordination and oversight, however there will also be situations where more hands-on activities will be necessary.

The individual shall also have specialized professional experience in one or more of the following areas: collecting, synthesizing, fusing, or authoring unclassified and classified cyber threat intelligence products, email security, including identification of phishing attempts, malware detonation, static malware code disassembly/analysis, and/or runtime malware code analysis.

C.6.1.2.4 Tier 3 Personnel Tier 3 Personnel Positions are Key Personnel. Tier 3 Personnel shall have demonstrated professional experience in network security architecture, incident detection and response, malware analysis, or cyber forensics, and a bachelors degree. The personnel must have demonstrated experience analyzing and synthesizing information with other relevant data sources, providing guidance and mentorship to others in cyber threat analysis and operations, evaluating, interpreting, and integrating all sources of information, and fusing computer network attack analyses with counterintelligence and law enforcement investigations.

Additionally, Tier 3 Personnel shall possess specialized professional experience in security, information risk management, or information systems risk assessment, and must be knowledgeable in many areas such as Intrusion Prevention and Detection, Protocol Analysis, Incident Response, Data Loss Prevention (DLP), Advanced Threat Protection, Log Analysis, Network Traffic Packet Analysis, script development, and email analysis.

C.6.1.3 Changes to Key Personnel Proposed changes of key personnel shall be provided in writing to the CO and BPA Call COR for approval. This notification shall be submitted at least fifteen (15) business days in advance of the proposed substitution or immediately following the resignation or death of the key personnel.

Page 49 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 The proposed change submittal shall describe the proposed action (including resignation if applicable), any corresponding transition plan, and assessment of the anticipated impact to the Contractors effort on the BPA Call. All proposed substitutes shall have qualifications equal to, or greater than, the person to be replaced; a resume shall be provided to validate qualifications.

The CO in consultation with the BPA Call COR shall evaluate such requests and notify the Contractor within five (5) business days, in writing, of his/her approval or disapproval thereof. At the discretion of the BPA Call COR, a meeting with the proposed key personnel may be required to verify that the proposed substitute has qualifications equal to, or greater than, the person to be replaced. The BPA Call COR shall notify the Contractor ten (10) business days in advance of the proposed substitution date if the BPA Call COR chooses to conduct a meeting to review the qualifications of the proposed individual. Only the CO has authority to accept or deny key personnel substitutions.

SECTION D - PACKAGING AND MARKING D.1 MARKING DELIVERABLES The Contractor shall include the GLINDA BPA number and the BPA Call number on, or adjacent to, all exterior mailing or shipping labels of deliverable items called for by the BPA Call, except for reports. Mark deliverables for the BPA Call COR. Additional deliverable markings may be outlined in awarded work packages.

(End of Clause)

SECTION E - INSPECTION AND ACCEPTANCE E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)

Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the BPA Call COR at the destination, accordance with FAR 52.247 F.o.b. Destination.

Contract Deliverables: Please see the following sections for contract deliverables:

C.4.2.1.6 C.4.2.2.5 C.4.2.3.5 C.4.2.4.1 (End of Clause)

E.2 INSPECTION AND ACCEPTANCE OF DELIVERABLES The BPA Call COR will have five (5) business days to complete the review of each deliverable and accept or reject the deliverable by giving written notice. When the Government fails to complete the review within the review period, the deliverable shall become acceptable, unless an extension of the review period is requested and mutually agreed upon. In the event of rejection of any deliverable, the Contractor shall be so notified in writing by the BPA Call COR and given the specific reason(s) for the rejection. The Contractor shall have three (3) business days to correct the rejected deliverable and return it to the BPA Call COR for inspection. The Page 50 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 Contractor shall be allowed one resubmission of deliverables, any other resubmissions shall be at the Contractors time and expense.

Payment of the Contractors price shall be a result of the governments acceptance of the Contractors deliverables and performance level. The payment for every invoice will be reduced by the disincentive fees described in Section C.7 Required Performance Metrics for the associated CLIN for each unacceptable deliverable or missed SLR performance level, regardless of contactor performance on other CLINs. Disincentive fees may not be earned back by the Contractor after the one resubmission allowance. Furthermore, if subsequent resubmissions lead to a project delay for the Government, the Contracting Officer reserves the right to equitability, downward adjust the price to be paid. The CO and/or BPA Call COR shall notify the Contractor of such an adjustment prior to the adjustment occurring.

(End of Clause)

SECTION F - DELIVERIES OR PERFORMANCE F.1 PERIOD OF PERFORMANCE ALTERNATE This contract shall commence on September 29, 2017 and will expire on September 28, 2020.

There are also two (2) one-year option periods. The NRC anticipates the following activities to occur in the first year of the base period of performance:

Base Period: September 29, 2017 - September 28, 2020

a. First two months - Contractor personnel initiates and completes NRC Security Processing.

b. December 4, 2017 - January 31, 2018 - Transition-in period for BPA Call Awardee and transition-out period for ITISS Contractor. Transition process may start earlier or later depending on the security process.

Option Period 1: September 29, 2020 - September 28, 2021 Option Period 2: September 29, 2021 - September 28, 2022 (End of Clause)

F.2 PLACE OF DELIVERY-REPORTS The items to be furnished hereunder shall be delivered, with all charges paid by the Contractor, to:

BPA Call COR (electronic copy)

Name: Kathryn Harris Email Address: Kathryn.Harris@nrc.gov Alternate BPA Call COR (electronic copy)

Name: Michael Lidell Email Address: Michael.Lidell@nrc.gov (End of Clause)

F.3 PLACE OF PERFORMANCE Page 51 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 The Contractor shall perform BPA Call services at the primary NRC SOC facilities in Rockville, MD. To address the NRCs COOP requirements, one or more personnel may be located at the Agencys COOP location for an undetermined duration during COOP plan activation. Local travel within the National Capital Region and long distance travel to the NRC COOP facility, to NRC Regional facilities, to other government agency facilities, and to private sector facilities may be required.

The BPA Call COR shall identify and authorize travel requirements on a casebycase basis; all travel must be approved by the BPA Call COR in advance and will be reimbursed in accordance with FAR 31.205-46. Travel reimbursement does not apply for travel occurring within forty (40) miles of the primary NRC SOC facility in Rockville, MD.

(End of Clause)

F.4 HOURS OF OPERATION Currently, normal working hours at NRC Headquarters are 6am-6pm Eastern Time Monday thru Friday excluding Federal Holidays. NRC Regional Offices in different time zones generally have normal working hours of 6:00 a.m. - 6:00 p.m. local time. Contractor personnel are expected to conform to NRCs normal operating hours, with exceptions for those functions which require 24 x 7 x 365 support. Additional exceptions to normal working hours would be for maintenance and production changes, made outside of normal working hours so as to not disrupt agency operations.

(End of Clause)

F.5 FEDERAL HOLIDAYS Federal Holidays are located at https://www.opm.gov/policy-data-oversight/snow-dismissal-procedures/federal-holidays.

(End of Clause)

SECTION G - CONTRACT ADMINISTRATION DATA G.1 BPA CALL COR AUTHORITY (a) The contracting officer's representative (COR) for this BPA Call is:

Name: Kathryn Harris Address: 11601 Landsdown Street, North Bethesda, MD 20852 Telephone Number: 301-287-0515 The alternate COR for this BPA Call is:

Name: Michael Lidell Address: 11601 Landsdown Street, North Bethesda, MD 20852 Telephone Number: 301-287-9265 (b) Performance of the work under this BPA Call is subject to the technical direction of the BPA Call COR. The term technical direction is defined to include the following:

Page 52 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 (1) Technical direction to the Contractor which shifts work emphasis between areas of work or tasks, authorizes travel which was unanticipated in the Schedule (i.e., travel not contemplated in the PWSor changes to specific travel identified in the PWS, fills in details, or otherwise serves to accomplish the PWS requirements.

(2) Provide advice and guidance to the Contractor in the preparation of drawings, specifications, or technical portions of the work description.

(3) Review and, where required by the BPA Call, approve technical reports, drawings, specifications, and technical information to be delivered by the Contractor to the Government under the BPA Call.

(c) Technical direction must be within the general PWS in the BPA Call. The BPA Call COR does not have the authority to and may not issue any technical direction which:

(1) Constitutes an assignment of work outside the general scope of the BPA Call.

(2) Constitutes a change as defined in the "Changes" clause of the GSA Schedule contract against which the GLINDA BPA was awarded.

(3) In any way causes an increase or decrease in the total estimated contract cost or the time required for contract performance.

(4) Changes any of the expressed terms, conditions, or specifications of the BPA Call.

(5) Terminates the BPA Call, settles any claim or dispute arising under the BPA CALL, or issues any unilateral directive whatever.

(d) All technical directions must be issued in writing by the BPA Call COR or must be confirmed by the BPA Call COR in writing within ten (10) working days after verbal issuance. A copy of NRC Form 445, Request for Approval of Official Foreign Travel, which has received final approval from the NRC must be furnished to the contracting officer.

(e) The Contractor shall proceed promptly with the performance of technical directions duly issued by the BPA Call COR in the manner prescribed by this clause and within the BPA Call CORs authority under the provisions of this clause.

(f) If, in the opinion of the Contractor, any instruction or direction issued by the BPA Call COR is within one of the categories defined in paragraph (c) of this section, the Contractor may not proceed but shall notify the contracting officer in writing within five (5) working days after the receipt of any instruction or direction and shall request that contracting officer to modify the contract accordingly. Upon receiving the notification from the Contractor, the contracting officer shall issue an appropriate contract modification or advise the Contractor in writing that, in the contracting officer's opinion, the technical direction is within the scope of this article and does not constitute a change under the "Changes" clause.

(g) Any unauthorized commitment or direction issued by the BPA Call COR may result in an unnecessary delay in the Contractor's performance and may even result in the Contractor expending funds for unallowable costs under the BPA Call.

(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the action to be taken with respect to the instruction or direction is subject to 52.233 Disputes in the GSA contract against which the GLINDA BPA was awarded.

(i) In addition to providing technical direction as defined in paragraph (b) of the section, the BPA Call COR shall:

(1) Monitor the Contractor's technical progress, including surveillance and assessment of performance, and recommend to the contracting officer changes in requirements.

(2) Assist the Contractor in the resolution of technical problems encountered during performance.

(3) Review all costs requested for reimbursement by the Contractor and submit to the contracting officer recommendations for approval, disapproval, or suspension of payment for supplies and services required under this BPA Call.

Page 53 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054

2. Appropriate (as defined by the BPA Call COR) access privileges to the technologies described in the SOW Include an asterisk (*) if the item also applies to paragraph (b) below.

(b) The equipment/property listed below is hereby transferred from contract/agreement number:[], to contract/agreement number:[]: Not Applicable (c) Only the equipment/property listed above in the quantities shown will be provided by the Government. The Contractor shall be responsible and accountable for all Government property provided under this contract and shall comply with the provisions of the FAR Government Property Clause under this BPA Call and FAR Subpart 45.5, as in effect on the date of this BPA Call. The Contractor shall investigate and provide written notification to the NRC Contracting Officer (CO) and the NRC Division of Facilities and Security, Physical Security Branch of all cases of loss, damage, or destruction of Government property in its possession or control not later than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after discovery. The Contractor must report stolen Government property to the local police and a copy of the police report must be provided to the CO and to the Division of Facilities and Security, Office of Administration.

(d) All other equipment/property required in performance of the call shall be furnished by the Contractor.

(End of Clause)

SECTION I - CONTRACT CLAUSES I.1 RESERVED I.2 RESERVED I.3 52.217-8 OPTION TO EXTEND SERVICES (NOV 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor at anytime prior to expiration.

(End of clause)

I.4 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor at anytime prior to expiration; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at anytime before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 years.

Page 55 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 (End of clause)

I.5 52.232-19 AVAILABILITY OF FUNDS FOR THE NEXT FISCAL YEAR. (APR 1984)

Funds are not presently available for performance under this contract beyond September 28, 202019. The Government's obligation for performance of this contract beyond that date is contingent upon the availability of appropriated funds from which payment for contract purposes can be made. No legal liability on the part of the Government for any payment may arise for performance under this contract beyond September 28, 202019, until funds are made available to the Contracting Officer for performance and until the Contractor receives notice of availability, to be confirmed in writing by the Contracting Officer.

(End of clause)

I.6 TRAVEL APPROVALS AND REIMBURSEMENT (a) All foreign travel must be approved in advance by the NRC on NRC Form 445, Request for Approval of Official Foreign Travel, and must be in compliance with FAR 52.247-63 Preference for U.S. Flag Air Carriers. The Contractor shall submit NRC Form 445 to the NRC no later than 30 days before beginning travel.

(b) The Contractor must receive written approval from the BPA Call COR before taking travel that was unanticipated in the Schedule (i.e., travel not contemplated in the PWS, or changes to specific travel identified in the PWS).

(c) The Contractor will be reimbursed only for travel costs incurred that are directly related to this contract and are allowable subject to the limitations prescribed in FAR 31.205-46.

(d) It is the responsibility of the Contractor to notify the contracting officer in accordance with the Limitations of Cost clause of this contract when, at any time, the Contractor learns that travel expenses will cause the Contractor to exceed the estimated costs specified in the Schedule.

(e) Reasonable travel costs for research and related activities performed at State and nonprofit institutions, in accordance with Section 12 of Pub. L. 100-679, must be charged in accordance with the Contractor's institutional policy to the degree that the limitations of Office of Management and Budget (OMB) guidance are not exceeded. Applicable guidance documents include OMB Circular A-87, Cost Principles for State and Local Governments; OMB Circular A-122, Cost Principles for Nonprofit Organizations; and OMB Circular A-21, Cost Principles for Educational Institutions.

(End of Clause)

I.7 OPTION FOR ACQUISITION OF EVALUATED OPTIONAL FEATURES NOT PROCURED AT TIME OF AWARD OF CONTRACT (IT REQUIREMENTS)

The Government may exercise the option to acquire the evaluated optional features stated elsewhere in this contract at unit prices specified therein. The Contracting Officer may exercise this option by written notice to the Contractor at any time prior to the expiration of the contract.

Delivery of the evaluated optional features added by exercise of the option shall be in accordance with the delivery schedule set forth elsewhere in this contract.

(End of Clause)

Page 56 of 55

GLINDA SOC Services BPA Call NRC-HQ-10-17-A-0004 / NRC-HQ-10-17-O-0001 Modification 000054 I.8 52.252-2 CLAUSES INCORPORATED BY REFERENCE. (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): www.acquistion.gov/far (End of clause) 52.227-14 RIGHTS IN DATA-GENERAL (MAY 2014) 52.227-16 ADDITIONAL DATA REQUIREMENTS (JUN 1987) 52.227-17 RIGHTS IN DATA--SPECIAL WORKS (DEC 2007) 52.232-22 LIMITATION OF FUNDS (APR 1984) 52.237-3 CONTINUITY OF SERVICES (JAN 1991)

SECTION J - LIST OF DOCUMENTS, EXHIBITS AND OTHER ATTACHMENTS Attachment # Title Attachment 1 NRC Management Directive 12.5 NRC Cyber Security Program Attachment 2 Current NRC Cyber Security Technologies Attachment 3 NRC Security Standards/Document List Attachment 4 Clause 3 - Security Requirements for Building Access Approval Attachment 5 Security Requirements for Information Technology Level I or II Access Attachment 6 Acronyms Summary Billing Instructions for Labor-Hour or Time-and-Materials Contracts Attachment 7 (updated Mod 00002)

Attachment 8 Billing Instructions for Firm-Fixed-Price Contracts (updated Mod 00002)

Attachment 9 SOC Services Cost/Price Spreadsheet Attachment 10 Reserved Page 57 of 55