U.S.

Equal Employment Opportunity Agency

Statement of Work for Automated Information Security Program Update

Statement of Work
Review of IT Security Program and Systems

1.0 INTRODUCTION

The Hypothetical Government Agency (HGA) has an immediate requirement for

contractual support for a review and assessment of its Information Security Program and
ongoing technical security consulting services. As a means of implementing the General
Accounting Office’s (GAO) five best practices for risk management, HGA is undertaking
a review of its entire Automated Systems Security Program to include risk
analysis/vulnerability assessment of its systems, assessment of the automated security
program, security awareness training, development and enhancement of security plans,
continuity and contingency planning, and infrastructure protection review.

1.1 OBJECTIVE

This Statement of Work (SOW) is being issued on behalf of the HGA, located at 1111
First Street, Washington, D.C. 20001. HGA is requesting qualified bidders under the
General Services Administration, Federal Technology Service, Office of Information
Security SAFEGUARD program, to respond to the tasks described in this SOW.

1.2 BACKGROUND

The Hypothetical Government Agency (HGA’) mission is:

(insert agency mission)

1.2.1 Organization of the Agency

(insert agency organization)

1.2.2 Technical Infrastructure

The Agency is engaged in a long-term effort to modernize its information-

processing infrastructure. This effort includes high performance desktop systems,
software enhancements for improved functionality and integration, and networked
systems for improved communications and resource sharing.

The Agency’s Office of Information Resources Management (OIRM) is

1
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

responsible for the IT modernization effort. OIRM has recently completed the
deployment of local area networks (LANs) in the field offices and is now seeking
to utilize the enhanced technical infrastructure to introduce value-added services
to the HGA user community. In addition to the LAN deployment in the respective
field offices, OIRM is in the process of completing its implementation of a wide
area network (WAN). The WAN hardware being used is Cisco routers. In the
first phase of the implementation, the WAN was extended to the 55 district offices
and the Washington Field Office. In the second phase of the deployment, OIRM
will be extending the WAN to the 25 area and local offices.

The mission-critical Charge Data System (CDS) is installed in each of the field
offices, hosted by Unix-based computers. Upon completion of the LAN
installation, access to CDS is accomplished using TCP/IP across the network-
cabling infrastructure. The desktop PC supports both IPX and IP protocols.

IPX is used to provide connectivity from the desktop to the file server. IP is used
to provide connectivity to the current CDS system and the Internet and will be
used to provide connectivity to the new Integrated Mission System (IMS) in the
future. OIRM has a defined IP/IPX addressing plan for the Agency.

1.2.3 Computing Environment

The Agency’s desktop computers are all Pentium class machines with a mix of the
Windows 95/Windows 98 operating systems. All desktop computers in the
Agency are Dell computers.

The minimum file server standard for the Agency is a Pentium, 200 MHZ
machine with a minimum of 128 MB of RAM, and dual 9 GB drives.

The Agency’s current standard for its network operating system is Novell
NetWare 4.11 (IntraNetWare).

HGA’s standard office automation software is Corel’s WordPerfect Suite 8 Legal

Edition and Novell’s GroupWise 5.2. The network client software is Novell’s
Client 32, and Microsoft’s TCP/IP stack is used for IP communication. Virus
protection for the file servers and workstations is provided through Intel’s
(Symantec) LANDesk. The Agency’s standard browser is Netscape.

2
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

2.0 SCOPE

HGA has an immediate requirement for contractual support for technical security
consulting services for its Automated Information Security Program. As a means of
implementing the General Accounting Office’s (GAO) five best practices for risk
management, HGA is undertaking a review of its entire Automated Systems Security
Program to include risk analysis/vulnerability assessment of its systems, assessment of
the automated security program, security awareness training, development and
enhancement of security plans, continuity and contingency planning, and infrastructure
protection review.

The immediate project requirement consists of the review, revision, and enhancement of
HGA's information technology and automated information security program as mandated
in the Computer Security Act of 1987 and OMB Circular A-130 - Appendix III. The
review process must also consider other Federal guidance, i.e., the impact on system
security through the implementation of electronic signature as part of the Government
Paperwork Elimination Act (GPEA).

The first phase of this project consists of a risk analysis/vulnerability assessment of

specified HGA systems. For those systems being considered as part of GPEA, further
risk assessment to evaluate electronic signature alternatives will be conducted as part of a
later task.

The second phase of this project consists of an assessment and recommendations for
HGA’s automated information security program and specific enhancements in the area of
security awareness and training. Security plans for selected HGA systems will be
reviewed and updated as part of this assessment phase. Specific tasks for the project are
described below.

HGA requires contractors with technical expertise in the development and assessment of
automated information security programs, development of security plans, experience in
conducting risk analyses and vulnerability assessments, expertise in continuity and
contingency planning, and proficiency in the development of security awareness training
programs. In-depth knowledge of federal security guidelines, e.g., Computer Security
Act of 1987, OMB Circular A-130 - Appendix III and Presidential Decision Directive
(PDD) 63 as well as Federal and industry security best practices must also be
demonstrated.

3.0 TASKS

3
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

3.1 Task #1. General Description

The Contractor will conduct a risk analysis/vulnerability assessment for several

HGA systems. The minimum number of systems to be reviewed will be six and
consist of the IMS (Integrated Mission System), CDS (Charge Data System),
Network (Local and Wide Area Network), FINASST (Agency’s Financial
Management System), HGA-1, and CAD (Certification and Dispersal) system.
See Appendix A for a more detailed description of these systems.

3.1.1 Task #1. Responsibilities

The contractor, working with HGA's computer security program manager and
with other HGA/OIRM officials responsible for the respective HGA systems must
conduct a complete risk analysis. The risk analysis for each system will consist of
six specific elements: definition of scope of analysis, identification of the
agency’s critical assets, determination of the best analytical
(qualitative/quantitative) base for an evaluation, identification of potential risks,
evaluation of the risk profile (vulnerability assessment), and identification and
recommendations for cost-effective safeguards.

The process for the review and creation of the risk analysis report will be the
same for each system under review. The deliverables identified below are
required for each system. The complete set of deliverables will be received and
accepted prior to the start of the process for the subsequent system’s risk analysis.

3.1.2 Task#1. Deliverables

1. Draft outline. A written draft outline of the risk analysis report must be
provided. This outline will provide the basis for the draft and final report
deliverables for this task. The outline must contain sufficient detail to
indicate all pertinent areas of the risk analysis will be addressed and
should include all areas in which risks will be reviewed, e.g., physical,
operating system, application, data, emergency preparedness, backup,
disaster recovery, etc. This deliverable will be required for ONLY the first
risk analysis. All subsequent risk analyses will utilize the same format.
This deliverable is due 5 working days after the start of this task. The
government will provide written comments within 5 working days after
receipt of the draft outline.

4
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

2. Draft report. A written draft report, based on the approved draft outline,
which contains approximately the first 50% of the elements required in the
risk analysis report is required as a deliverable. The draft report must
contain the complete write-ups for the first half of the risk analysis,
including but not limited to the first 3 items noted above, as well as the
assessment of physical, data, and operating system security. This
deliverable is due 20 working days after the government’s acceptance of
the draft outline. The government will have 10 working days to review
the deliverable and provide written comments to the contractor.

3. Final report. The final report must address all written government
comments on the prior draft. The final report must include the complete
risk analysis for the system, which includes all items identified in the draft
report, the remainder of the risk identification section, and the final 3
items noted above. This final report deliverable is due 20 working days
from the receipt of the government’s comments on the draft report. The
government will have 10 working days to review the final report and
provide written comments to the contractor. The contractor must
incorporate or address all of the government’s written comments before
the deliverable will be accepted as final by the government. The final
deliverable is due 5 days after receipt of the government’s written
comments.

NOTE: Two of the three deliverables (draft and final report) will be
required for all six HGA systems. Therefore, the total number
of deliverables for this task is 13.

3.2 Task #2. General Description

HGA requires a detailed review and assessment of HGA’s Automated Information

Security Program relative to Federal government laws and guidance, including but not
limited to the Computer Security Act of 1987, OMB Circular A-130-Appendix III, and
other Federal agencies’ best practices.

3.2.1 Task #2. Responsibilities

The Contractor will review HGA’s existing automated information security

program as documented in the current and proposed draft revision of HGA

5
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

Security Policy, with special reference to Appendix A of the proposed draft

revision (Information Security Responsibilities of HGA Employees). The
Contractor will also review the HGA other documentation which defines HGA's
and HGA’s OIRM mission statements.

The review will consist of an assessment of compliance with the Computer

Security Act of 1987 and OMB Circular A-130. The review will identify any
deficiencies or weaknesses in the HGA Security Program. In addition the review
will evaluate HGA’s Security Program relative to GAO’s Executive Guide on
Information Security Management “Learning from Leading Organizations” and
other Federal agencies whose security programs could serve as models of “best
practices”. The deliverables from the prior task (risk assessment) will also be
included in the review.

The review will include specific recommendations to correct any deficiencies or

weaknesses and improve the HGA Security Program relative to “best practices”
that are applicable to HGA. The recommendations must be specific and contain
sufficient detail to be capable of being implemented. The recommendations must
also include the level of effort and/or cost required to complete each separate
recommendation.

3.2.2 Task#2. Deliverables

1. Report outline. A written report outline which identifies specific areas

required and best practices to be assessed in the review of the HGA
Security Program must be developed. This outline will provide the basis
for the draft and final report deliverable for this task. The outline must
contain sufficient detail to indicate all relative Federal statutory
requirements have been addressed. This outline must be provided to the
government in both hard-copy and electronic format (WordPerfect 8.0) 10
working days after the initial kick-off meeting for this task. The
government will provide written comments on the report outline within 5
working days of receipt of the report outline.

2. Draft report. A written draft report, based on the approved draft matrix
(outline) which contains the results of the review of the HGA Security
Program relative to Federal statutory requirements and Federal agencies’
“best practices” is required as a deliverable. The draft report must contain
sufficient detail to indicate all relative Federal statutory requirements have

6
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

been reviewed. Weaknesses or deficiencies need to be expressly identified

as such with the Federal law, guideline, or best practice clearly identified.
The draft report need not contain the complete recommendation for
correction/enhancement of all of the identified weaknesses or deficiencies.
For those items in which the recommendation has been written, the costs
and resources required to implement the recommendation must be
documented. This deliverable in both hard-copy and electronic
(WordPerfect 8.0) format is due 20 working days after the start of this
task. The government will provide written comments on the draft within 5
working days of receipt of the deliverable.

3. Final report. The final report must address all written government
comments on the prior draft. The final report must include all weaknesses
or deficiencies and the recommendations for correction of the weakness or
deficiency. The recommendations must include the level of effort or cost
required to correct the deficiency and must contain enough detail that the
recommendation would be capable of being implemented. The report
should also identify any areas of the HGA Security Directive which must
be modified in light of these recommendations. The final report
deliverable is due 15 working days from the receipt of the government’s
comments on the draft report. The government will have 10 working days
to review the final report and provide written comments to the contractor.
The contractor must incorporate or address all of the government’s written
comments before the deliverable will be accepted as final by the
government. The contractor will have 5 days to finalize the report.

3.3 Task #3. General Description

HGA requires technical support in the area of Security Training and Security Awareness.
HGA requires the conducting of security training for HGA’s system owners. HGA also
requires the development of curriculum or security awareness documentation that can be
used on an Agency-wide basis.

3.3.1 Task #3. Responsibilities

The contractor will develop security training materials specifically designed to
assist key OIRM staff and HGA officials responsible for major application and
general support systems to participate in the enhancement or development of the
security plans for their systems. The objectives of this training will be to orient
the staff and appropriate officials concerning their security role and

7
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

responsibilities relative to their system and to orient them for their role in
assisting the Contractor with the task of developing security plans and operational
procedures (described below). The training modules should be developed
following the general outline documented in NIST Special Publication 800-18,
“Guide for Developing Security Plans for Information Technology Systems”. The
training should be considered fairly high-level and is expected to consist of
approximately 6-8 classroom hours of training material.

The contractor will also conduct an assessment of the current security information
provided to all HGA employees relative to that required by current government-
wide directives such as OMB Circular A-130. Based upon this assessment, the
contractor will update/develop, in conjunction with HGA requirements as
identified in the risk analysis task (defined above), a security awareness
brochure/pamphlet or recommend commercial-off-the-shelf training materials that
can be provided/used by all HGA personnel. This brochure will contain
information required by government-wide directives and specific HGA
implementing procedures and be designed to provide to all employees their
individual security responsibilities.

3.3.2 Task#3. Deliverables

1. Draft outline of security training course. A draft outline of the security

training curriculum must be provided. The outline must be segmented in
modules, contain a description of the objective of each module, and an
estimated length of time to cover the module. This deliverable is due 5
working days after the completion of Task #1. The government will have
3 working days to complete their review and provide written comments to
the contractor.

2. Security Training Course materials. The entire course must be delivered

as a completed package. All modules must be completely defined with
appropriate objectives of each module identified. The materials should be
sufficiently documented so that they can be used as a reference guide in
the development of the key components in a security plan. This
deliverable is due 15 working days after the completion of the prior
deliverable in this task (draft outline). The deliverable must be submitted
in a bound hard-copy (two copies) and electronic format (WordPerfect 8.0
format). The course materials will become the property of HGA. The
government will have 10 working days to review the course materials and

8
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

provide written comments to the contractor. The contractor will have 5

working days to incorporate and/or address all of the comments provided
by the government.
3. Security Training Class. The contractor must conduct the security training
class based on the approved course materials. The class will be
approximately 6-8 hours in length and be targeted to the system owners of
the key systems identified in the risk assessment. The class will be
conducted in HGA’s headquarters training facility. HGA will be
responsible for the replication of the materials for the training class.

4. Employee Security Awareness Training. The contractor must provide

either written employee security awareness training materials both hard
copy and electronic (WordPerfect 8.0) format or recommendations on
COTS products which would meet the HGA requirements. This
deliverable is due 10 working days after the completion of the Security
Training Class. The government will have five working days to review
the information and provide written comments to the contractor. The
contractor will have five working days to incorporate and/or address all
comments provided by the government.

3.4 Task #4. General Description

The Contractor will review existing computer security plans and operational
procedures for HGA's major application and general support systems written to
comply with the Computer Security Act of 1987, and will revise or update the
plans to reflect system changes. For those major applications or general support
systems for which no computer security plan exists, the Contractor will create
new plans.

3.4.1 Task #4. Responsibilities

The contractor, working with HGA's computer security program manager and
with other HGA/OIRM officials responsible for the respective HGA systems will
update or create new security plans. The revised and new plans will be concise,
but will be written to conform to NIST Special Publication 800-18 (Guide for
Developing Security Plans for Information Technology Systems). The security
plan for each system will clearly define the security requirements, describe the
controls in place or plan to meet these requirements, and delineate the

9
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

responsibilities and expected behavior of all individuals who access the system.

HGA has a number of systems which require review and/or development of

security plans. The actual number of systems for which security plans will be
completed will depend on project funding. The minimum number of systems to
be reviewed will be six and consist of the IMS (Integrated Mission System), CDS
(Charge Data System), Network (Local and Wide Area Network), FINASST
(Agency’s Financial System), HGA-1 and CADS (Certification and
Disspersement) system.

The process for the review and creation of the security plans will be the same for
each system under review. The deliverables identified below are required for each
system. The complete set of deliverables will be received and accepted prior to
the start of the process for the subsequent system’s security plan.

3.4.2 Task#4. Deliverables

1. Draft outline. A written draft outline of the security plan must be

provided. This outline will provide the basis for the draft and final report
deliverable for this task. The outline must contain sufficient detail to
indicate all pertinent areas of the security plan will be addressed. It must
also include, at a minimum, its categorization as either major application
or general support system, identification regarding who is responsible for
the system, the purpose of the system and the sensitivity level of the
system. This outline must be provided to the government in both hard-
copy and electronic format (WordPerfect 8.0) 5 working days after the
initial kick-off meeting for each system having a security plan
developed/updated. The government will provide written comments on
the draft outline within 5 working days of receipt of this draft deliverable.

2. Draft report. A written draft report, based on the approved draft outline,
which contains all of the elements required in the security plan will be
required as a deliverable. The draft report must contain all elements of the
security plan including, but not limited to, system identification, system
name/title, responsible organization, information contact, assignment of
security responsibility, system operational status, general description,
system environment, system interconnection/information sharing,
sensitivity of information handled, management controls, and operational
controls. As a draft, the elements in each section can be identified in

10
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

bullet format, i.e., the complete write-up does not need to be drafted, but
must contain enough information to identify key points for each section.
If specific items were unable to be identified, e.g., management or
operational controls, these items must be clearly identified and a
recommendation for corrective action be made. Any such
recommendation should be identified and documented as separate from
the actual security plan. This deliverable is due 20 working days after the
government’s acceptance of the draft outline. The government will have
10 working days to review the deliverable and provide written comments
to the contractor.

3. Final report. The final report must address all written government
comments on the prior draft. The final report must include the complete
security plan for the system. All items identified in the draft report in
bullet format must be expanded into a complete write-up. If specific items
were unable to be identified, e.g., operational or management controls,
these items must be clearly identified and a recommendation for corrective
action be made. Any such recommendation should be identified and
documented as separate from the actual security plan. This final report
deliverable is due 20 working days from the receipt of the government’s
comments on the draft report. The government will have 10 working days
to review the final report and provide written comments to the contractor.
The contractor must incorporate or address all of the government’s written
comments before the deliverable will be accepted as final by the
government. The final deliverable is due 5 days after receipt of the
government’s written comments.

NOTE: These three deliverables will be required for all six HGA systems.
Therefore, the total number of deliverables for this task is 18.

3.5 Task #5. General Description

The contractor must identify appropriate technologies for electronic signature and
identify the change in the potential risk and risk profile which might be
introduced as a result of the implementation of such technologies for HGA’s
system for tracking charges (CDS/IMS). This task will not begin until the risk
analyses and security plans for both CDS and IMS has been completed.

3.5.1 Task #5. Responsibilities

11
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

The contractor must conduct a market review of technologies capable of

supplying electronic signatures which will function in the HGA technical
environment. The intent is to review the potential usage of such technologies in
light of the Government Paperwork Elimination Act and the potential
risk/exposure to the Agency.

3.5.2 Task#5. Deliverables

1. Market Review Report. The contractor must supply a report

identifying the potential technologies, their acquisition and
operational support costs, and provide a recommendation for the
technology most cost effective in meeting HGA requirements.
This report will be due 15 days after the start of this task.

2. Revised Risk Assessment. Based upon the assumption that these

technologies (task#5.1 above) are both feasible and can be cost
effectively introduced in to HGA’s environment, a revised risk
analysis must be prepared. The risk analysis will address the risk
and associated exposure/threats that the introduction of the new
technology may introduce. This revised risk analysis will be due
15 days after the start of this task. The government will have 5
working days to review the report and provide written comments.
The contractor will have 5 working days to incorporate and/or
address the government’s comments.

4.0 GOVERNMENT FURNISHED EQUIPMENT AND FACILITIES

4.1 Support Provided by HGA

HGA will provide the following facilities, tools, supplies, and resources to aid the
contractor in the accomplishment of the tasks and functions described above.

1. HGA will provide space (a desk and chair) at our headquarters site for up to two
contractors for this project.

2. Each contractor will be provided with at least one (1) telephone and one (1)
computer when working at the headquarters site. Telephones may only be used in
accordance with Federal Guidelines and Standards to conduct HGA-related

12
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

business and may not be used to conduct non-HGA contractor business.

3. On-site contractor personnel have the use of copiers located in the HGA
headquarters building. Copying paper and acetate materials will be supplied by
the Government as needed.

4. Contractor personnel will be issued building IDs to facilitate access to the

headquarters building.

4.2 Support Not Provided by HGA (Must be Supplied by the Contractor)

The following operational support will NOT be provided by HGA as part of this contract.
It is the responsibility of the contractor to supply these items, as needed, to accomplish
the tasks described above.

1. Office supplies such as paper, pens, pencils, clips, staplers, or any other general
office supplies.

2. Secretarial or clerical support.

3. Tools required to complete any of the tasks.

5.0 PERSONNEL

Resumes for all individuals proposed for each task should be submitted as part of the
proposal in accordance with previous standards set under the GSA Federal Technology
Service's (FTS) Safeguard contract. In addition, the specific staff categories described
below must also be addressed. Personnel must have demonstrated experiences,
documented in their resume, in support of the specific task for which they are being
proposed.

1. Project management and hands-on experience in the performance and leadership

of project teams in conducting security program reviews and assessments,
development of security awareness programs, and review and development of
security plans. Expertise should be demonstrated by showing a thorough
knowledge of performing these services in the Federal sector following Federal
guidelines, especially OMB Circular A-130. CCSP (Certified Computer Security
Professional) or CISA (Certified Information Systems Auditor) is highly
desirable.

13
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

2. Security analyst skill set is required. Skills in the assessment and development of
security plans, conducting of risk analyses and vulnerability assessments based
upon the Federal sector requirements. Current experience in reviewing,
documenting, and auditing security requirements for systems built using state-of-
the-art technologies, e.g., Internet/Intranet services, WEB and WEB-enabled
applications, HP UX, Oracle dbms, etc. Expertise in performing information
systems auditing is required.

3. Security training expertise is required. Knowledge of COTS security training

materials, experience in developing security curriculum, classroom experience in
training managers and IT technical specialists in specific security awareness and
information security responsibilities must be demonstrated.

4. Expertise in electronic signature technologies, encryption techniques, and other

state-of-the-art security technologies. Demonstrated experience in
implementation of such security technologies in a WEB/Internet environment is
highly desirable.

5. The specific individuals proposed for each task must be made available, at the
appropriate time in the project, to work full-time on the tasks described in this
Statement of Work.

6. All personnel with the above defined skill set related to this Statement of Work
are considered Key Personnel. Offerors may NOT replace Key Personnel after
the technical evaluation is completed unless the individual is no longer an
employee of the Offeror or unless written permission is obtained from HGA. This
clause supersedes any other statements on personnel associated with this contract.
A bid on this Statement of Work constitutes acceptance of this clause.

7. All personnel must be fully trained and ready for the tasks for which they are
proposed, prior to becoming billable through this contract.

6.0 REPORTS, BRIEFINGS, AND OTHER DELIVERABLES

The Contractor shall submit reports and other deliverables in accordance with the

14
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

requirements set forth below and as specified in individual delivery/task orders.

6.1 Meetings

Within one week of notification of the award, the contractor will schedule a kick-off
meeting with the government. The contractor will prepare an agenda for the meeting.
The contractor will provide to the government at the meeting a list of documentation
needs which will be required to be provided by the government in order for the contractor
to successfully complete each of the tasks in this project. The contractor will also prepare
a schedule which includes milestones dates for all deliverables in this project.

A regularly scheduled status meeting will be held every two weeks during the course of
the project. The contractor will be responsible for preparing the agenda, documenting the
meeting through meeting notes, and maintaining an up to date project schedule.

6.2 Reports

The contractor shall submit monthly progress reports. The progress report shall contain
an executive summary, information on significant activities, progress on work associated
with the tasks, and funds status. The report shall be submitted 10 working days after the
reporting period and will be submitted electronically in WordPerfect 8.0 format.

7.0 DATA SECURITY REQUIREMENTS

HGA's information systems contain sensitive information, as defined in the Computer

Security Act of 1987 (PL 100-235), and contain personal information subject to the
Privacy Act of 1974 (PL 93-579 and amendments). It will be the Contractor's
responsibility to familiarize and brief employees and subcontractors on the provisions of
the Privacy Act. FAR clauses, 52.224-1: "Privacy Act Notification" and 52.224-2:
"Privacy Act", are hereby incorporated by reference.

The confidentiality and disclosure provisions of Title VII of the Civil Rights Act of 1964
and Title I of the American with Disabilities Act prohibit disclosure of any charge or
charge-related information. The contractor shall agree that such information will not be
disclosed and will only be used for the performance of their responsibilities under this
task order.

8.0 INSTRUCTIONS AND EVALUATION CRITERIA

15
 U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

8.1 Instructions

The Offeror’s proposal must include, at a minimum, the following:

1. Describe the approach, methodology, technique, or plan that you are proposing to
accomplish each task. Each task should be identified separately using the
parameters defined in the scope section.

2. Describe previous past performance corporate experiences that are relevant to

each task.

3. Provide resumes for the person(s) that you are proposing to accomplish each task.
Heavy emphasis will be placed on the skills and previous experiences of proposed
personnel.

4. Provide a quality assurance and project plan which identifies the deliverables in
the project, time frames for completion, milestone dates, and the management
controls which will be put in place to ensure the product is completed in the time
frames and for the funding defined.

All Offerors must submit a proposal that addresses all tasks described in this Statement of Work.

8.2 Evaluation Criteria

The technical portion of this proposal is worth 80 points while the cost portion is worth
20 points. HGA will follow the standard procedures established under the GSA/FTS/OIS
Project Safeguards Contract to evaluate the technical portion of the proposal. Table 1
shown below describes the areas of evaluation and the weighted score values for the
technical portion.

TABLE 1
Evaluation Criteria and Scores

Item # Description Weighted Score

1. Technical approach and methodology 20

16
 U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

2. Past performance 25

3. Key personnel resumes 30

4. Project/Quality Assurance Plan 5

APPENDIX A Table of Primary HGA Major Application Systems, General Support

Systems, Offices Responsible for Them and Essential Purpose /
Function of System

17
 U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

Name of Major Application / Support Office in Essential Purpose /

System Charge Function of System

Charge Data System (CDS) Office of Primary major application

Information system for the collection and
Resources dissemination of Agency
Management Charge information.
(OIRM)

HGA Surveys System Office of Primary major application

Research system for the collection
(OR) and dissemination of
Agency surveys of private
and public sector
compliance with the laws
enforced by HGA.

CAD (OFO) System Office of Primary major application

Federal system for the certification
Operations and dissemination of
(OFO) information

Integrated Mission System (IMS) Office of Primary major application

Information system for the enterprise,
Resources on-line transaction
Management processing and decision
(OIRM) support concerning HGA's
charge information.

Agency's Financial System (FINASST) Office of Primary major application

Financial and system for the management
Resource of HGA's
Management internal financial
(OFRM) management information.

Network (Agency's Local and Wide Area Office of Primary general support
Network (WAN) Information system for HGA's Local and
Resources

18
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update

Management Wide Area Network.

(OIRM)

19