Atch 6 Industry Day Q and A.pdf

CE CS Cybersecurity Initiative Follow-on Industry Day 30 Mar 2022 Questions & Answers DISCLAIMER: All answers given are pre-decisional. Should any Solicitation documents conflict with the answers given below, the solicitation documents shall take precedence. These answers are being provided only with the goals of clarifying the Government's intent and obtaining feedback from Industry. Some answers may have changed in light of incorporating Industry feedback since they were answered. The Solicitation will incorporate more changes than those indicated below. Item Question Answers What was the acquisition strategy for the current contract? 8a, 1 SDVOSB, GS A. ete, ? by NETCENTS-2 Full and open pool. > Will all the govt members on the call now be in the one/one sessions |The contracting team along with the technical team will be on the one-on- as well? Is Best Value an option for the follow-on? ones. Yes, trade off is an option for the next acquisition. 3 What is the scope of the two week transition? Is it just the operation {In the last contract, it was just the operation center, however we didn't center, or does that include all sites? have OSR's deployed at that time. TBD. 4 De Say we comet vehicle you planned to use? I think I There has been no decisions made yet as to which vehicle will be used. The Industry Day docs show a 15 Feb 2023 Final RFP, there is no mention of a Draft RFP or another industry day prior to that date. With that date 10-11 months away, does the government intend to . . . . 5 hold another industry day, maybe in conjunction with a site visit? TBD. Major draft document is current PWS. Draft RFP is possible. Will there be a Draft RFP released with ample time allocated for industry to comment on the draft documents? 6 omportunity? Were commited Chewy code for this This question is part of the RFI. Other NAICS codes are being considered. Is the goal for industry to help the AF expedite the COINEv2 rollout |we want to achieve the rollout of COINE faster, however we have 7 |while propelling systems integration and ensuring legacy ICS/OT can | guidelines and process given to us by our AO. These systems are different, achieve RMF ATO/ATC standards faster? legacy etc. Looking to expedite the process where possible. 1) Are any proprietary systems in use today, and if so, what is the expectation for retaining the system and/or the migration of the data? | Yes, some proprietary systems in use. We have no objective to collect data, 8 |2) Are any unique ODC requirements anticipated that would be not |concerned with protecting the data. No other ODC requirements available from NETCENTS, NASA SEWP, or a GSA contract? If |encountered yet. so, please explain. With the AF CE COINE 2.0, adding capabilities for intrusion Cybersecurity Maturity Model Certification (CMMC) is an OS&D 9 detection, incident response and continuous monitoring requirement capabilities are you going to require CMMC 2.1 certification : requirements? Update to proprietary systems question: The question was referring 10 |to proprietary systems used by the current contractor in performance |Nothing is proprietary to incoming contractor. of the work, such as an inventory tool. In review of the PWS, there is references to NIST 800-53 which is il 100% applicable. Do you see NIST 800-82 applicable as well Yes, 800-82, Guide to Industrial Control System (ICS) Security. Use the regarding the NIST Guide for ICS Security which is not mentioned _|latest publication in the PWS as of yet 2 Given the OCONUS requirements for this contract, will the Will depend on which country for SOFA coverage. Currently no exact procurement include SOFA coverage for OCONUS staff? requirement for anyone in any specific location. The slide mentions "Control System critical infrastructure assessment and mitigations" as a contract area of effort. Do you have an idea of 3 the split of what the contractor may assess vs role of the government |We don't use our ODC clins to purchase materials that are not owned by in mitigation and funding? Example: If the contractor identifies an |AFCEC. ODC clin used primarily for COIN v2 related purchases. issue, are they expected to mitigate (cost and authority would be an issue)? The ISSM role probably links in too. According to your timeline, when (generally) do you plan fo decide Will depend on how much information we get via RFI. Time will be 14 |on precisely the method of contracting, and how will you inform . . . . required to review RFI responses and additional market research. industry of this? 1 Are you Ome to have any inside threat requirements to support Number of different tools to scan for threats, Open for suggestions for 5 |Cyber Security enterprise network performance and susceptibility 4 . ee inside threat requirements. indicators? Are any of your ICS/OT systems and devices and your Ops Center No. Zero trust roadmap is coming, other areas of interest in AF tasked 16 already in the Cloud w/ regard to Zero Trust. Or, are you looking |_. th zero trust ifics. but not t for industry to develop a Zero Trust tech roadmap to get you there? WHET ZETO EUS SPECTTCS, DUE NO OUTS YE". 17 Will there be any opportunities during the proposal period, to visit | Right now not part of the requirement. Will discuss to see if a benefit. and/or inspect any of the facilities (i.e. Ops Ctr)? Right now not planned but not ruled out for the future. Is AFCEC concerned about receiving too many proposals to 18 reasonably evaluate? If so, what are your potential actions to take? Not concerned at this moment. Dependent on which strategy we choose. 19 | Who is the incumbent performing the work? Current contractor is General Dynamics Information Technology. 20 Is NETCENT2 going to be re-established on conclusion of current _| At this time we believe NETCENT2 is expiring and will not be used for run? this effort. 1 Besides OASIS /Alliant are you going to market research with other |Market research is open to anything available to the AF right now. Will be BIC vehicles like VETS2? using the strategy which best meets our needs and best value to the AF. Will the contractor be responsible for mitigations of findings as a . 22 result of NDAA 1650 assessments? See section 4.2.47 of PWS. Have you already laid the funding into the POM for this effort or ' 23 is it part of your 2023 budget request? We're funded for several years out. Its our experience that insider threat programs are closely associated with a type of Special Access Programs (SAP). Independent from all Yes, we are looking for those suggestions for things missed on PWS. 24 |other enterprise systems. Perhaps the govt. would consider standing Alwavs open to suggestions up an insider threat program/system as part of this acquisition YS OP 88 , strategy? . . . . We did a crowdsource test, some vulnerabilities were found in COINEv2 9 > 25 | Will proposals for crowdsourced risk analysis be entertained? and corrected. Will most likely happen again in future. Acknowledging that you will gather industry input for acquisition strategy and contract vehicle selection, what are some of the driving |Capability is one driving factor. This is a world-wide requirement. 26 |factors and priorities you will use in the decision making process. Companies with experience and know-how to handle the requirement. If Industry understanding of what is important to you will help us make |we do not get proper competition, we will re-consider our options. more relevant acquisition suggestions. 27 I bel reve the plan is to start using SBEAS when NETCENT2 SBEAS is not a mandatory use vehicle, but is an option. expires is that accurate? Is there a site that outlines COINEv2 and all the systems that are in . . . . 28 the enclave? Have researched and can't find specifics All information currently ready to release is in PWS Appendix two 29 As far as FTEs that are working the current version of this contract, Not aware of any public information available. is there publicly available information for reference? 30 | How critical is it for a company to have multilingual teams? No requirement to have multilingual teams. 3] Any other AFIs in the 17 series that ID ground rules for running the Perhaps 17-203; 17-130; DAFPD17-1 Operations Center?