The Department of Energy, National Nuclear Security Administration has a requirement for Personnel Security Program Support for the Clearance Action Tracking System (CATS) Development & Maintenance.

The NA-74, Office of Personnel and Facility Clearances and Classification (OPFCC), located on Kirtland Air Force Base in Albuquerque, New Mexico, is responsible for implementing all Department of Energy (DOE) personnel security and facility clearance requirements for all National Nuclear Security Administration (NNSA) field sites. NA-74 is also responsible for the continued maintenance and enhancements of the Clearance Action Tracking System (CATS), DOE’s enterprise application used to manage all Personnel Vetting requirements for the cleared and uncleared federal and contractor workforce. The CATS development project was initiated in 2015 by NA-74 to replace NNSA’s existing clearance case management system. The application deployed in June 2019.

CATS is highly customized, fully automated, case management system that replicates the DOE’s personnel vetting processes, end-to-end. In essence, it accomplishes this automation by “flowing” a case through the process from inception (customer request), all the way through the lifecycle of the case, up to the point of expunging the record (when required) after the case has been terminated.

Unlike its predecessor, CATS was designed as an enterprise system, and is now used by all seven DOE Cognizant Personnel Security Offices (CPSO). Furthermore, the application is being expanded to support additional stakeholders, such as Human Reliability Program (HRP) Certifying Officials, the Office of Intelligence & Counterintelligence, Human Capital, DOE’s Power Administrations, and M&O contractor customers. CATS currently houses roughly 300K cases and has roughly 500 users geographically located across the United States. Over 10K case actions are completed in CATS each month. As such, continued maintenance of this application is critical to meeting the DOE/NNSA mission. NA-74 requires an information technology support services contract in support of CATS maintenance.

In addition, NA-74 also requires program support services in support of implementing Trusted Workforce 2.0 and other personnel security, intelligence/counterintelligence, cyber and human capital requirements. TW 2.0 was launched in 2018 by the Director of National Intelligence and aims to better support agencies’ missions by reducing the time required to bring new hires onboard, enabling mobility of the Federal workforce, and improving insight into workforce behaviors. It is the most far-reaching reform of the Federal Government’s personnel vetting process ever. The approach used today for personnel vetting was developed decades ago. Over time, it has been modified as new threats were identified, but the underlying framework remains the same. Personnel vetting processes require modern transformational reform in line with today’s complex missions, societal norms, threat landscape, changing workforce, and evolving technology. As such, DOE requires an innovative approach to re-brand the CATS application, further secure our data, and automate additional processes stemming from personnel vetting reform. The contractor will be required to gather and refine requirements identified by the Department, assist various CPSOs and program offices with process gap analysis/resolution, and provide technical guidance and schedules for DOE development initiatives.

CATS is currently hosted by the NNSA Office of Information Management (NA-IM) on the Albuquerque Complex Network (ACN). Historically, all NNSA applications were developed, maintained, and hosted/overseen by NA-IM. The CATS project is unique in that NA-74 was responsible for the development & maintenance activities, while NA-IM was still responsible for operations and cyber activities. NA-74 will be working with NA-IM and Microsoft to migrate CATS to the cloud. This effort requires additional resources with a new set of skills/capabilities. The contractor will assume responsibility for planning, migration, and operations of the cloud while NA-IM will continue to oversee all cyber activities.

The following positions are required to fulfill the contract requirements. A high volume of development and maintenance activity is anticipated.

• Project Manager (Key Personnel)
• Solutions Architect (SA)
• Business Analysts
• Software Engineer Levels I – III
• Software Engineer Levels IV – V
• Quality Assurance (QA) Specialists
• Software Testing & Quality Engineer IV
• Cloud Engineer III
• Cyber Security Analyst

PROJECT REQUIREMENTS

• Agile Scrum Methodology:
  • The contractor will employ the Agile Scrum project management methodology. Development will occur in short, two-week iterations (“Sprints”). Agile ceremonies will be used to plan, conduct, and report on status, to include Sprint Planning, Daily Scrum, Retrospective, Product Demonstrations, Prioritization, and Triage. The Agile concept will be used to flexibly and iteratively prioritize and plan work as well as deliver small, meaningful value more frequently.
• Azure DevOps (ADO)
  • To facilitate Scrum as well as all software configuration and release management practices, the Contractor shall use Azure DevOps (ADO). ADO should be used to track all backlog items, Sprints, requirements, acceptance criteria, work items, approvals, support requests, source code, and release notes. Additionally, it can be used to as a team Calendar, as a Wiki for various informal team and process documentation, and to provide real-time transparency through reporting and dashboards.
  • Key information to be managed and reported using ADO:
    •  Sprint burndown chart.
    • Current Sprint backlog.
    • Product backlog, inclusive of all work yet to be completed.
    • Product-wide list of bugs and their current state.
    • Project calendar.
    • Process guidance.
    • General documents and information.
      • Release notes.
      • Requirements documents.
      • Acceptance criteria.
      • Design documents.
      • Meeting minutes.
•  Software Configuration Management:
  •  Software requirements and approvals must follow an established and formal Software Configuration Management Plan. Using ADO, any given work item should have full traceability to see who created it, who approved requirements, who did the development, who tested it (QA), and who approved it out of UAT (which COR). Requirements for work items will be gathered and made workable by the BAs, then must be approved by the COR. If necessary, Requirements meetings can be conducted to give the development team an opportunity to ask clarifying questions. It is expected that by the time a work item is committed to a Sprint that requirements and acceptance criteria will be well known.
• Quality:
  • The Contractor is expected to develop and manage processes that support a high-quality application. This includes documenting and enforcing process and coding standards, performing internal QA (functional) testing on all new development prior to UAT and release, ensuring business requirements and acceptance criteria are properly recorded and approved, and using automation where possible to limit human error.
• Governance:
  • The Contractor shall be responsible for authoring and maintaining strategic documentation, to include:
    • Systems Design Documentation
    • Business Impact Analysis (BIA)
    •  Service Level Agreement (SLA)
    • Software Configuration Management Plan
    • Disaster Recovery Manual (cloud)
    • Resource Runbooks (cloud)
  • Additionally, the contractor shall provide assistance to NA-IM, as needed, for additional documentation essential to the continued Authorization and Accreditation (A&A) of CATS, to include:
    • FIPS-199 risk assessments
    • Information Systems Security Plan (ISSP)
    • Disaster Recovery and Continuity of Operations (DR/COOP) plan
    • Incident Response (IR) plan
• Training Videos:
  •  When deemed necessary, primarily for significant changes or the introduction of new functionality, or whenever directed by the COR, the Contractor shall produce videos sufficiently explaining the change. These videos shall be posted within the Customer Service Portal.
• Cloud Migration and Hosting:
  • Plans are currently underway to move CATS from traditional, on-premises hosting to the cloud. The Contractor shall be responsible for all efforts to design, test, document, migrate, update, and operate CATS in the cloud. This includes any and all updates to accommodate a hybrid Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) resource model with all cloud operations and maintenance (O&M) activities being performed by the Contractor going forward.
• Monitoring:
  • The Contractor shall develop and provide monitoring data, gathered from the CATS database or otherwise, on the use and activities of CATS end-users and administrators as well as background processes. This should include, but is not limited to:
    •  New user creation.
    • Changes to CATS Admin group.
    •  When a user is placed in username/password mode.
    • When a user is disabled but has assigned/open actions
    • When a disabled user is reenabled.
    • Active users and session statistics.
    • Daily DIF counts.
    • Automated data input/output validation and error reporting.
    • Stale accounts.
    • User lists
    • Action completion statistics.
    • Bridge transactions statistics.
  • Additionally, the Contractor shall be required to provide certain system and security logs, routinely or ad hoc, to NA-IM for Cybersecurity purposes.
• Customer Service:
  • The Contractor shall provide any/all assistance required in support of end-user requests or problems, as escalated by the CATS Support team or COR. The Contractor shall provide professional, courteous, and timely customer service and track requests in ADO, as necessary. Additionally, the Contractor shall be expected to provide off-hours support, as necessary, to support software releases, troubleshoot problems, respond to outages, perform system administration, and execute special projects.