The Department of Energy (DOE), Office of Environment, Health, Safety and Security (EHSS) has an ongoing requirement for Application, Infrastructure, and Cybersecurity (AICS) support.

The DOE is looking to issue a hybrid Task Order, with both Cost-Plus Award Fee (CPAF) and Firm Fixed Price (FFP) elements for this requirement. The magnitude of this effort is estimated to be up to $45 million over a five (5) year ordering period. The principal place of performance is the U.S. Department of Energy, 1000 Independence Avenue SW, Washington, DC 20585 and U.S. Department of Energy – Germantown, 19901 Germantown Rd, Germantown, MD 20874.

EHSS is the DOE’s central organization responsible for health, safety, environment, and security; providing corporate-level leadership and strategic vision to coordinate and integrate these vital programs. EHSS is responsible for policy development and technical assistance; safety analysis; and corporate safety and security programs. The DOE Office of Environment, Health, Safety, and Security advises the Deputy Secretary for DOE on all matters related to environment, health, safety, and security across the DOE complex.

The EHSS Office of Information Management is responsible for ensuring that the EHSS IT portfolio effectively supports the EHSS program offices and the environment, health, safety, and security needs of the DOE. The EHSS Office of Information Management will provide technical guidance and oversight for EHSS

EHSS IT PORTFOLIO DESCRIPTION

The EHSS IT Portfolio is diverse. It consists of a mix of on-site and off-site components. EHSS receives network services, Amazon Web Services (AWS), Microsoft Azure and Microsoft 365 cloud platform services, internet and intranet websites, and most end-user workstations through the DOE Chief Information Office Energy IT Services (EITS) organization. Appendix A provides information for major components, applications, databases, systems, and competencies that support the EHSS mission.
The DOE Chief Information Officer (CIO) is responsible for cybersecurity policy and operations in the department. EHSS is responsible for physical security, information security, personnel security, and classification programs. EHSS receives unclassified desktop services, unclassified network services, unclassified e-mail service, and cyber incident response services from the DOE Energy IT Service (EITS).

EHSS has applications/systems that are hosted in the DOE CIO Federal Risk and Authorization Management Program (FedRAMP) cloud environments. EHSS IT is responsible for the maintenance, patching, and vulnerability mitigation of cloud application layer components. Detailed responsibilities between EHSS and EITS are delineated in a Memorandum of Agreement (MOA) and Service Level Agreement (SLA) document.

The EHSS program offices routinely deal with publicly releasable information, Controlled Unclassified Information (CUI), and classified information. A majority of the CUI information is either Personally Identifiable Information or Protected Health Information. EHSS IT applications and systems are designed to protect the information collected for analysis and processing by the EHSS program offices and the DOE.

EHSS develops and maintains systems and applications that are approved for sensitive unclassified information and classified information in accordance with the DOE EITS Program Cyber Security Plan, DOE Cyber Policies, National Institute of Standards and Technology (NIST) guidance, Federal Information Processing Standards (FIPS) and Special Publications (SP), the Committee on National Security Systems (CNSS) policies, directives and instructions, and federal law and regulations.
EHSS uses a formal process for IT development work. This process includes working with EHSS program offices to define functional and operational requirements. The functional and operational requirements are used by the EHSS Contractor IT team to elaborate requirements and provide a technical proposal and cost estimate. Development work does not begin until the EHSS program office formally agrees with the technical proposal and cost estimate.

EHSS systems/applications are configured to support development, testing, staging, training, and production activities. EHSS expects that all development work, testing, and production deployments will take place on government-furnished environments operating under a Federal Authority to Operate (ATO).

Authentication to applications and systems in the EHSS portfolio is based on the use the Personal Identity Verification (PIV) credential as specified in Committee on National Security Systems (CNSS), Federal Information Processing Standards (FIPS), and associated Special Publications (SP), Homeland Security Presidential Directive 12 (HSPD-12) and Federal Identity, Credential, and Access Management (ICAM) documents.

The DOE CIO has delegated the Authorizing Official (AO) responsibilities to the Director for the EHSS Office of Information Management for classified and unclassified applications and systems owned and operated by EHSS.

• EHSS Classified Local Area Network: EHSS operates and maintains a local area network supporting 200-300 users that is approved for classified information.
• EHSS Internet / Intranet Presence: EHSS maintains public content on the EHSS section of the DOE website, Energy.Gov.
• EHSS SharePoint: EHSS provides and maintains a SharePoint environment for document sharing and collaboration.
• EHSS Help Desk and End User Support: EHSS operates an organizational help desk that provides operations support for EHSS-owned IT assets, EHSS applications, and the EHSS classified local area network. The EHSS help desk is a supplement to the larger DOE HQ EITS help desk operated by the DOE OCIO. The EHSS help desk provides deskside services for asset management, EHSS program account management, and peripheral equipment not requiring EITS network administrative access
• EHSS Cybersecurity: EHSS cybersecurity provides the necessary resources to perform all the functions necessary to grant EHSS systems and applications with a federal Authorization to Operate. These include, but are not limited to:
  • System security plans,
  • Cybersecurity test plans and documentation
  • Risk Analysis and Assessments
  • Corrective Action plan tracking and reconciliation
• EHSS cybersecurity also provides resources that support EHSS operational system security functions and the EHSS Information System Security Officer. The EHSS cybersecurity team interfaces with the DOE-HQ EITS cybersecurity and incident response team and the DOE cyber incident capability iJC3. EHSS relies on the DOE-HQ EITS cybersecurity team and the DOE iJC3 for technical assistance and support.

EHSS cybersecurity also provides resources that support EHSS cybersecurity policies, plans, and procedures to effectively manage the EHSS cybersecurity program. These documents include, but are not limited to:

• EHSS Assessment and Authorization Plan
• EHSS Configuration Management Plan
• EHSS Privacy Plan

This includes planning and implementation of EHSS’s e-GOV, Information Technology (IT) planning, and program architecture initiatives; ongoing mission related information systems support, and cyber security for EHSS mission related information systems. The EHSS Office of Information Management will provide technical guidance and oversight for EHSS work.

• The Contractor shall develop, operate, and maintain EHSS systems and applications in accordance with all applicable Federal Regulations and DOE Policy and Orders, and in accordance with the systems and application engineering and methodology guidance provided by the DOE Chief Information Officer (CIO), the National Institute of Standards and Technology (NIST) and if appropriate the Committee on National Security Systems (CNSS).
• The Contractor shall develop, operate, and maintain EHSS systems and applications in accordance with all applicable Federal Regulations and DOE Policy and Orders, and in accordance with the systems and application engineering and methodology guidance provided by the DOE Chief Information Officer (CIO), the National Institute of Standards and Technology (NIST) and if appropriate the Committee on National Security Systems (CNSS).
• The Contractor shall ensure the personnel providing labor hours for development, web content authoring, documenting, testing, installation, configuration, maintenance, training, and other services related to Information and Communication Technology (ICT) possess the knowledge, skills, and ability necessary to address the applicable Revised 508 Standards defined in this contract and shall provide supporting documentation.
• The Contractor shall adhere to federal cybersecurity requirements, Federal Laws and Regulations, National Cybersecurity policies and guidance, Department of Homeland Security binding operational directives, DOE issuances, DOE Orders, Manuals and Notices, Committee on National Security Systems Policies, and National Institute of Standards and Technology Standards, Frameworks and Special Publications for Information Security.
• The contractor shall manage work in accordance with DOE O 415.1 Admin Chg 1, Information Technology Project Management. https://www.directives.doe.gov/directives
• The Contractor shall track and report to EHSS all costs associated with the development, operations, and maintenance of EHSS systems and to satisfy the mandated OMB Capital Planning and Investment Control process. Cost reporting and invoicing shall be divided into Work Breakdown Structure (WBS) Elements of Program Management, Development, Operations and Maintenance (O&M), Help Desk, and Cybersecurity and reported as separate line items. Each major line will be further divided into sub-elements agreed to by EHSS and the Contractor using a WBS format. The Contractor shall be responsible for preparing the DOE IT Portfolio Management (ITPfM) documentation found in https://digital.gov/services/folio/ and https://www.cio.gov/policies-and-priorities/tbm/ and providing updated status information to assigned EHSS Office of Information Management personnel.
• The Contractor shall provide annual spend plans for contract costs by June.
• The Contractor shall adhere to the following work priorities:
  • Operations and Maintenance (in order of precedence)
    • Cyber Vulnerability mitigation (Critical and High vulnerabilities)
    • System Patching and medium vulnerability mitigation
    • Troubleshooting and issue resolution
    • Account administration, web postings, log analysis, back-ups, etc.
  • Development activities, includes design, programming, testing, training, and implementation.
• The contractor shall support the EHSS formal process for IT development work to ensure alignment
• and collaboration between development, operations, and cybersecurity staff across the software lifecycle. This process includes working with EHSS program staff to support functional and operational requirements without compromising security.
• The Contractor shall provide services in accordance with the EHSS Continuity of Operations Plan (COOP). EHSS’ IT operations and maintenance support services may be required for COOP and contingency operations. The scope of support services is based on EHSS applications’ operational and availability requirements. Also, EHSS IT annually conducts tests, training, and tabletop exercises to support its COOP Plan. Support for EHSS classified systems will need to be accomplished on-site at the DOE Forrestal and Germantown facilities. The Contractor may be directed to provide support at the DOE Germantown and Forrestal facilities during government shutdowns, including weather-related shutdowns. Specific direction will be provided on a case-by-case basis through the Contracting Officer / Contracting Officer Representative.
• The contractor shall support and maintain the EHSS SharePoint instance.
• EHSS Systems and Applications:
  • Software and application releases and hardware upgrades shall be implemented on a set and defined basis subject to funding.

New or upgraded system(s) shall use commercially available software and hardware or government-furnished software to the greatest extent possible. Software used will either be currently available through the DOE EITS Program or will need to be approved by EHSS and purchased through the DOE CIO program. Changes to the current software/hardware framework identified in Appendix A need to be approved by the EHSS Technical Review Board and the EHSS Authorizing Official.

• Application development, testing, and training shall be conducted on the EHSS servers with source control configured to correspond to different stages of the development life cycle (i.e., development, testing, staging, and production) in EHSS’ source control repository. The source control shall be configured to enable flowing code from development into production in an agile and repeatable way and enable DevSecOps workflow.
• New applications and modifications to existing applications must be approved by the EHSS Authorizing Official before placement into production.
• Cybersecurity:
  • The Contractor shall implement Cybersecurity Program Plan(s) in accordance with the guidance and direction provided by the DOE Chief Information Officer (CIO), the National Institute of Standards and Technology (NIST), the Committee on National Security Systems (CNSS), the Office of Management and Budget (OMB) and the EHSS Office of Information Management (EHSS-72).
  • The Contractor shall prepare all documents associated with security assessment and authorization of new or upgraded system(s) for submission to EHSS’s Director of Information Management (EHSS-72).
  • The Contractor shall provide DOE project and information security personnel access to systems and facilities covered by this contract, upon request.

Work Area 1: IT Project Planning and Management (CLIN 1 – CPAF)

• Provide IT project planning and management support for planning, organizing, directing, and controlling overall activities of assigned projects, including project management, technical work, requirements traceability, quality management, schedule, costs, and risk management.
• Capture project metrics via program and project exhibits to communicate information technology contract performance.
• Exhibits shall include information technology project plans that communicate tasks, milestone dates, status, resource allocation, and associated costs.
• IT project planning activities also includes working closely and providing input to EHSS IT program/task manager regarding technical approach and associated level of effort, technical trade-offs and Return-On-Investment (ROI) information, Key Performance Indicators (KPIs), and alignment of technical activities to EHSS IT roadmap activities.
• Lead knowledge management (KM) practices for development, operations, and maintenance of EHSS systems for consistency across projects to achieve continuous knowledge management through a metrics-based feedback loop and improve cycle times for IT product and service delivery.

Work Area 2: Application Development, Testing, Operations, and Maintenance (CLIN 1 – CPAF)

• Provide application design, engineering, development, testing, implementation, training, documentation, operations, and maintenance for EHSS applications and systems. (Note: Unless otherwise specified, all date/day intervals shall be interpreted to mean calendar days.)
  • Provide technical and administrative support services for feasibility analysis of approved requirements, software design, engineering, development and, testing, implementation, operations, and maintenance services for applications supporting EHSS’s mission needs and objectives.
  • Ensure integration and interoperability, as appropriate, between EHSS mission systems and other departmental systems.
  • Ensure that EHSS applications are compliant with EHSS’s and the Department’s enterprise architecture.
  • Provide technical and administrative support for implementing, operating, and maintaining applications in the EITS Enterprise Cloud Environment and Headquarters. EHSS web applications maintenance responsibilities are based on the type of deployment of the EHSS technical stack.
  • Provide support for customer training, user documentation development, and customer help services for EHSS developed and maintained applications.
  • Provide documentation, including: Pre-development documentation to elaborate approved requirements and acceptance criteria, high-level application architecture; documentation during development to explain application architecture and design, user experience design and architecture, source code, validation and testing documents; and post-development documentation to support the application’s change, release and configuration management requirements, support operations and maintenance activities and to support educating application users how to use the application or changes due to approved change requests and other help-related information in a manner consistent with current, commercially available applications. All documentation shall be in a format editable by the Government and maintained in the appropriate provided tool.
  • Identify risks associated with the development, analysis, and classification of those risks as to severity and likelihood, and the identification of techniques to mitigate the risks.
  • Monitor, maintain, enhance and manage all existing business applications and correct defects as they become known. The same software engineering best practices and techniques will be used for application modifications as are to be used for new system development. All data and programming standards shall be used and consistently applied.
  • Utilize an iterative development methodology for all work. The methodology shall allow users to examine the validity and accuracy of the business requirements and to respond to the usability and performance of new developments. User testing and acceptance throughout the development cycle will detect usability issues, missing requirements, and any necessary design changes early in the process, allowing them to be prioritized by stakeholders.
  • Support for multiple frameworks within an Internet/Intranet architecture, web application development using a service-oriented architecture and web services and application program interfaces (APIs) where applicable, and software languages for existing and new web applications in the Agency’s cloud environment.
  • Develop, test, deploy, and install applications of Machine Learning (ML) and Artificial Intelligence (AI) for Mission-driven data analytics of both quantitative and qualitative data to support risk and regulatory reporting requirements across EHSS programs. Machine learning capabilities shall support the classification and categorization of data points from multiple EHSS applications, and configure dimensions for features, predictors, or variables to perform model training and visualization of the variables. AI capabilities shall support goal-oriented and low-level simple tasks for specific areas to enhance user experience for insights based on existing EHSS information.
  • Implement practices and procedures that conform to the DOE Zero Trust Architecture model Integrate planned testing including test plans, test cases, test results, and traceability to requirements to validate software milestones.
  • Integrate repository to track all changes and versions of all software applications to support application change, configuration, and release management requirements.
  • Implementation of language, platform and cloud agnostic Continuous Integration/Continuous Delivery (CI/CD) platform with support for containers.
  • Support for integration of application security and compliance monitoring tools.

Work Area 2A (Design, Engineering, and Development):

• The Contractor shall provide the administrative ], and technical support to conduct feasibility analysis of approved requirements, perform the design, engineering, and development work for existing and new systems and applications in the EHSS IT portfolio.

Work Area 2B (Testing and Implementation):

• The Contractor shall provide the administrative, , and technical support to perform the testing and implementation work for new systems an

Work Area 2C (Operations and Maintenance):

• The Contractor shall provide the administrative, professional, and technical support to maintain the operation of EHSS mission systems as described in the following:
  • The Contractor shall provide the necessary staff for the operations and maintenance of EHSS applications and systems.

Work Area 3: Web Site (CLIN 1 – CPAF) 

• The Contractor shall provide the administrative, professional, and technical support to update and maintain content for EHSS internal and external websites such as the EHSS Intranet, EHSS SharePoint, EHSS energy.gov, and EHSS presence on DOE website (EHSS Energy.Gov, DOE Safety Culture, EHSS Energy Hub) and the NEPA.gov website to support The Council on Environmental Quality.

Work Area 4: EHSS Information Services (Help Desk and End User Support) (CLIN 2 – FP) 

• The Contractor shall provide the administrative, professional, and technical support to provide help desk and end user support for EHSS mission systems. This is a fixed price element. The contractor shall provide Help desk support; account management; resolution of Microsoft Office product issues with end-users; management and operation of CISCO videoconferencing equipment; and troubleshooting standard desktop computers, printers, monitors, and keyboards.

Work Area 5A: Cybersecurity Support (CLIN 1 – CPAF)

• The Contractor shall provide administrative, professional, and technical support for cybersecurity for both classified and unclassified systems. The contractor shall provide implementation of the NIST cybersecurity framework (NIST SP 800-37); implementation of the NIST SP 800-53 Publications by Security Control Family; implementation of the CNSS controls; use and evaluation of the DISA STIGs or CIS Benchmark; implementation of a Continuous Diagnostic and Monitoring program; implementation of FIPS 199 and associated special publications; support responses to initial cybersecurity incidents; and support responses to cybersecurity spillage incidents.

Work Area 5B: Continuous Diagnostics and Mitigation / Zero Trust Architecture SME (CLIN 1 – CPAF): 

• Provide support for the maintenance and implementation of Zero Trust Architecture (ZTA) and Continuous Diagnostic and Monitoring (CDM) within EHSS.
• Provide guidance, support, and recommendations to the EHSS Federal staff to procure appropriate tools/software working with the EHSS infrastructure team.
• Provide technical support and analysis for ZTA/CDM data calls under the guidance of EHSS Federal staff.

Work Area 5C: Information System Security Officer (ISSO) (CLIN 1 – CPAF)

• The Contractor shall provide the administrative, professional, and technical support for the EHSS Information System Security Officer functions, as described in the following:
  • Provide support to ensure compliance in the implementation and operations of all DOE cybersecurity requirements for classified and non-EITS managed unclassified computing assets
  • Provide support in the coordination of excessing IT equipment
  • Provide on-site support between the hours of 7:00AM and 6:00P EST Monday through Friday, excluding Federal holidays

Work Area 6: EHSS Server and Network Infrastructure Operations (CLIN 1 – CPAF)

• The Contractor shall provide the administrative, professional, and technical support and management in the operation and maintenance of the EHSS Servers and Networks and other EHSS networks approved for unclassified/classified operations (this also includes EHSS servers that are hosted by a Cloud operation but not limited to).
• The contractor shall provide the design of LINUX/Microsoft-based unclassified networks and classified local area networks; operation and maintenance of LINUX/Microsoft based unclassified/classified local area networks; operation and maintenance of COMSEC equipment (TACLANE encryptors); and thin client-based local area networks. This does not include EITS-managed networks.
• The Contractor shall:
  • Provide technical and administrative support services for software design, engineering, development, testing, implementation, operations, and maintenance services for applications supporting EHSS’s mission needs and objectives.
  • Ensure integration and interoperability, as appropriate, between EHSS mission systems and other departmental systems.
  • Ensure that EHSS applications are compliant with EHSS’s and the Department’s enterprise architecture.
  • Provide support for customer training, documentation development, and customer help services for EHSS developed and maintained applications.

Work Area 6A: EHSS Server and Network Infrastructure (Design, Engineering, and Development):

• The Contractor shall provide the administrative, professional, and technical support to perform the following:
  Requirement documents will be established for new network functionality / configuration or modification to the existing network functionality / configuration in coordination with EHSS. The requirements document will identify the functional and operational requirements needed by EHSS, as well as the desired date for the network modifications to be operational..

Work Area 6B: EHSS Server and Network Infrastructure Operations (Testing and Development):

• The Contractor shall provide the administrative, professional, and technical support to perform the following:
  Prototype versions of the application shall be delivered, unless otherwise directed by EHSS, within the timeframe established during the development of the functional and operational requirements. Not all of the functionality described in the requirements document must be present in prototype versions.

Work Area 6C: EHSS Server and Network Infrastructure Operations (Operations and Maintenance):

• The Contractor shall provide the administrative, professional, and technical support to maintain access to EHSS mission systems as described in the following:
• The Contractor shall provide the necessary staff for the operations and maintenance of the EHSS.