The Department of Homeland Security, Management Directorate, Office of the Chief Information Officer (OCIO), Network Operations and Security Center (NOSC) has a continuing requirement for Network Cyber and Cloud Support (NCCS) Services.

The DHS information enterprise core infrastructure includes data centers, colocation facilities, and commercial, private cloud, and Gov-cloud resources interconnected by the Homeland Security Onenet wide area network (WAN). The Onenet WAN environment is supported by the DHS Onenet Hybrid Computing Environment (HCE), which includes on- premises infrastructure, network, compute, storage, and application support from DHS Data Center 1 (DC1) as well as multiple DHS Cloud Access Points (DCAPs) that leverage public cloud infrastructure for provisioning public cloud (i.e., Amazon Web Services (AWS); Microsoft Azure) support.

DHS is comprised of Headquarters and various Components, Offices, and Directorates. Each Component has unique and separate mission requirements and operates in a specific mission space; all are supported by a common unclassified, general purpose local area network (LAN) for data transport, the A-LAN, that comprises the largest portion of the larger Onenet. Some operational Components and/or mission-specific Offices (e.g., Office of the Inspector General, the St. Elizabeth’s Campus, etc.) also operate component or location-specific networks or enclaves that are supported by the broader Onenet and A-LAN networks. The data traversing this network is typically considered Sensitive but Unclassified (SBU) or Controlled Unclassified Information (CUI).

Additional networks supporting HQ and comprising Onenet include: “B-LAN” (also known as Homeland Secure Data Network (HSDN)) at the secret classification level; and “C-LAN” which supports top secret classified data processing via the Joint Worldwide Intelligence Communications System (JWICS); and “D- LAN”, which supports information processing for Special Access Programs (SAP).

The purpose of this Contract is to procure the full range of cybersecurity, network operations, management, and other professional support services described herein for the DHS HQ OCIO and select DHS Components. These services will enable DHS to provide network, cloud platform, system, application, and cybersecurity monitoring and analysis, incident management and coordination, and alert and notification functions in support of the broader DHS information enterprise and to provide other related cybersecurity services.

The primary objective of this Contract is to evolve the DHS HQ NOSC to build a best-in-class service entity that meets DHS Cybersecurity Provider (CSP) Program, industrial, and other doctrinal Center of Excellence service maturity standards. The secondary objective is to redefine the DHS HQ NOSC as the central hub of IT Service Management—for network infrastructure (WAN and select LAN); platform (including cloud), system, and application; and cybersecurity—monitoring and analysis, event and incident management, and incident response and recovery for the DHS Onenet at all information processing and classification levels – open source, SBU and CUI, Classified (Secret and Top Secret), Sensitive Compartmented Information, and Special Access Program information.

Network infrastructure monitoring and analysis and event and incident management and response services are comprised of, but not limited to, pro-active and reactive monitoring of all network infrastructure comprising the Onenet WAN and all DHS HQ / Management Directorate LANs, including the up/down status of all circuits as well as edge infrastructure devices and boundary points for both HQ and DHS components.

Cloud, platform, system, and application monitoring and analysis and event and incident management and response services are similarly comprised of, but not limited to, pro-active and reactive monitoring of all tenant cloud, platform, FISMA system, and other applications.

Cybersecurity services include but are not limited to the following general class of cybersecurity capabilities and functions: monitoring and analysis (M&A) support, log management support, incident handling and incident response support, asset visibility and monitoring, email security, cyber threat intelligence (CTI) support, intrusion defense, threat hunting; cyber forensics and malware analysis (CFMA), evidence management and insider threat support, cybersecurity maturity analytic testing (blue, purple, and red teaming), and penetration testing. Additional cybersecurity services such as DHS CSP component Network Operations Center (NOC) / Security Operations Center (SOC) audits, the Information Security Vulnerability Management Program, Security Control Assessment Support, and reporting on Federal Information Security Modernization Act (FISMA) metrics are also included.

All of this work—network infrastructure; cloud, platform, system, and application; and cybersecurity monitoring and analysis and event and incident management and response includes coordination with other internal and external entities and vendors to coordinate service degradation/outage triage and root cause analysis; service restoration coordination, including some Tier 3 engineering and operations and maintenance activities for select edge devices; and end-to-end communication and coordination leveraging various technologies and communications methods.

This scope of work also includes the establishment of a Program Management Office (PMO) to baseline, evaluate, and continuously improve all capability elements (doctrine and policy, organization and planning, test, training, and exercise, systems, leadership, personnel, facilities, and regulations and standards) of the DHS NOSC over time in accordance with industry standards and best practices, to include the Information Technology Infrastructure Library (ITIL) v4; the Capability Maturity Model Institute (CMMI) for Services; the Software Engineering Institute’s CERT Resilience Management Model; the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF); other NIST guidance (including NIST SP 800-53 Rev. 5), International Standards Organization / International Electrotechnical Commission (ISO/IEC) standards; and U.S. law and policy.

Task 1: Contract Management

• Contract Management facilitates all services and operations management functions for the contract. It involves the development, implementation, and administration of the Contractor’s support services. The contractor shall provide program management oversight, reporting and other general contract management services needed to achieve the cost, schedule, performance, quality, and communication goals under the contract.

Task 2: Capability Delivery and Improvement

• The Contractor shall support the design, development, staffing, management, implementation, and continuous improvement of a PMO or similar structure (e.g., Center of Excellence) to define, measure, manage, and continuously improve and optimize IT service management and cybersecurity capabilities and services in accordance with ITIL v4, CMMI for Services, NIST CSF, DHS Systems Engineering Lifecycle (SELC), and other best practices relevant to the capabilities and services being delivered. This service management function shall be in support of developing all capability elements (doctrine, planning, and governance, organization, training, systems, tools, and technologies, leadership, personnel, facilities, regulations, and standards) that comprise DHS information enterprise network, cloud/platform/system/application, and cybersecurity services.

Task 3: Network, Cloud, and Cybersecurity Monitoring and Analysis, Event and Incident Management and Response, and Associated Support Services

• The Contractor shall be responsible for planning, organizing, developing, managing, implementing, and continuously improving all network, cloud/platform and system/application, and core cybersecurity M&A and event and incident management (including alert and notification and event remediation) services in accordance with ITIL v4, CMMI for Services, the NIST CSF, the DHS SELC, DHS CSP, and FCEB and DHS requirements.

Task 4: OneNet Network Infrastructure Operations and Maintenance Support Services

• The Contractor shall provide full-scope operations and maintenance (O&M) support for OneNet edge infrastructure, including engineering support that is typically considered Tier 3 or Tier 4 support. This infrastructure consists of: Layer 2 switches, Layer 3 switches, routers, hubs/concentrators, gateways, bridges, and repeaters; modems, wireless LAN controllers and wireless access points; load balancers; forward and reverse proxy servers and devices; network, application, database, and web application firewalls; intrusion detection and prevention devices; network sandbox devices (including honeynets); encryption and decryption devices (including TACLANE®); and all other networking elements and cybersecurity devices at points where Component sub-networks and Local Area Networks connect to the Onenet and where the Onenet connects to TICs or Policy Enforcement Points or Points of Presence.

Task 5: Field Engineering Technical Services

• The Contractor shall station Field Engineering support personnel regionally throughout the Continental United States (CONUS) to provide IT support requiring hands-on intervention at DHS facilities and sites lacking local IT support. The Contractor shall post Field Engineering support personnel at select CONUS locations from which they may be dispatched to facilities requiring support. Field Engineering support personnel shall be qualified to determine the nature of a service outage at a location and shall initiate response activity to restore service. Field Engineering support personnel shall be capable of determining whether an outage is the result of a commercial circuit failure or if it is due to some internal failure at a facility. For failures determined to have occurred within a facility, Field Engineering support personnel shall be capable of identifying the failed network or system components and be capable of either restoring the failed components to an operational status or of replacing those components as circumstances require. Failing components may include routers, switches, firewalls, servers, and desktop computing devices.

Task 6: Other Cybersecurity Services Cybersecurity Services Provider (CSP) Program

• All DHS FISMA systems are required to obtain NOC or SOC services from a DHS accredited NOC or SOC. DHS Component NOCs and SOCs must pass a formal assessment and receive a designation of either Accredited or Center of Excellence (COE). COEs are authorized to provide NOC and SOC services to other DHS Components. Accredited organizations are authorized to provide services only to their own Components and associated systems. Components that fail to achieve Accredited or COE designations are unaccredited and must subscribe to the services of a COE NOC or SOC from within DHS. Each accredited NOC and SOC will undergo a periodic reaccreditation and will be inspected at least every three (3) years or when Providers or Subscribers revise their service agreements. Component Subscribers will be assessed on their Provider’s anniversary date to ensure services received meet the required maturity level.

Task 7: Surge Support:

• The Contractor shall provide surge support for additional Subject Matter Experts (SMEs) and support personnel for these previous tasks upon request. This support includes unforeseen priorities, legislative or organizational policy changes, or mission changes that are within the scope of this contract to meet the expanding DHS mission, performing disaster recovery analysis for potential Government facilities, and development of contract Transition-Out Plan and transition-out implementation activities. More information will be defined at the task order level. Surge support will be project-specific and temporary.