TAC 7-3a Information Assurance and Protection

Performance Work Statement

Information Assurance and Protection

1. Background

The United States Agency for International Development (USAID) has Corporate
Headquarters in Washington, D.C., missions, and field offices in more than 80
countries that must share information electronically in support of USAID’s
humanitarian and development programs. USAID's work relies on an interconnected,
automated information systems and networks. Therefore, it is imperative that the
Agency has assurance that its global information processing enterprise and
component systems operate with a high degree of confidentiality, integrity, and
availability. USAID and other Federal agency face increased information system
security threats posed by hackers, viruses, and other threat agents. USAID requires
an information security program that will protect against these and other threats and
comply with regulatory requirements that include the Computer Security Act (CSA) of
1987, the Clinger-Cohen Act of 1996, OMB Circular A-130, Raines Rules, as well as
USAID’s directives. As the Agency evolves its information processing enterprise,
relies on increased remote access to electronic information systems, and supports a
mobile work force, USAID must ensure that cost effective security mechanism, policies
and procedures are in place to protect Agency computers and information.

2. Objectives

The purpose of this TAC is to provide services that will maintain and improve USAID's
Information Systems Security (ISS) program and capabilities. Specifically, this TAC
shall provide assistance in the execution of USAID’s Information System Security
Officer (ISSO) responsibilities and in the implementation of Information Assurance (IA)
initiatives identified in the USAID’s Information Systems Security Program Plan
(ISSPP). Major objectives of this TAC include the following:

a. Implement approved core IA activities and projects defined in USAID’s ISSPP

to achieve OMB A-130 and CSA compliance.

b. Identify and begin the process to eliminate USAID ISS material weakness and
IG audit findings.

c. Work with USAID to protect its information systems (networks, computers,

firewalls, and networked systems) from unauthorized access.

d. Provide IA for current and future projects across USAID.

1
 TAC 7-3a Information Assurance and Protection

e. Provide ISS impact analysis support for waivers to USAID ISS policy and
procedures.

f. Provide (IA) consulting to organizations both inside and outside USAID.

g. Provide security operational certification and accreditation support for major

applications or systems connecting to USAID’s enterprise.

h. Assist the ISSO in processing USAID enterprise connection approvals.

i. Develop and promulgate computer and IA protection policy addressing

telecommunications, information systems, office automation, networks, and
Internet issues. Maintain and update ADS, chapter 545 and other
supporting documentation such as the ISSPP.

j. Provide recommendations and implementation assistance for the protection of

information systems and data, and the recovery of systems in case of
disaster or malicious acts.

k. Conduct periodic security training to educate and keep Agency personnel

aware of information and computer security threats and responsibilities, and
increase the level of ISS expertise.

l. Evaluate emerging security technologies and tools. When approved by USAID

integrate into the USAID enterprise.

m. Develop and implement an Agency wide security incident response capability.

n. Create, review and track tactical action plans that provide guidance for the
implementation and execution of ISS initiatives identified in IRM’s ISSPP.

o. Infuse life-cycle system security engineering processes and best practice into
USAID.

p. Capture Security Processes in a Best Security Practice Format that will be

provided by the Government.

q. Track Incident Response expenditures separately by an unique cost account

and document activities taken in each incident.

3. Scope

The contractor's efforts shall focus on the continuation and improvement of ISS at
USAID/W and overseas missions. The contractor shall employ with USAID’s approval
best practices such as those specified in the System Security Engineering – Capability

2
 TAC 7-3a Information Assurance and Protection

Maturity Model (SSE-CMM) in accomplishing the tasks within this TAC. Additionally,
the contractor shall to the greatest extent possible leverage on-going security activities
and product developments from other on-going government programs and industry
initiatives.

4. Statement of Work (SOW)

The contractor shall conduct the following activities in support of the ISSO’s execution
of his responsibility in concert with the ISSPP and IRMS’s Strategic Information
Resources Management Plan. The contractor shall ensure that no duplicate or
overlap is conducted between this TAC and other TACs under the USAID PRIME
contract.

4.1 Task Area 1 - Contract-Level and TAC management

4.1.1 Contract-Level Program Management.

The contractor shall provide the technical and functional activities needed for the
program management of this TAC. It shall include productivity and management
methods such as Quality Assurance, Configuration Management, Work Breakdown
Structure, and Human Engineering. Provide centralized administrative, clerical,
documentation and related functions. The contractor shall scope the appropriate level
of support required for this TAC

4.1.2 TAC Management.

The contractor shall prepare a TAC Management Plan to be given to the FEDSIM
Contracting Officer (CO) and the USAIDTAC Owner describing the technical
approach, organizational resources, and management controls to be employed to
meet the cost, performance and schedule requirements throughout the TAC’s
execution. The contractor shall provide a monthly status report to the USAID TAC
Manager that indicates the Quality Assurance, Configuration Management, and
Security Management applied to the TAC (as appropriate to the specific nature of this
TAC).

4.1.3 Documentation Standards.

The contractor shall under this TAC document security processes, standards, and
methodologies deployed within USAID in the “Best Security Format “ developed by the
USAID Security Group.

4.2 Task Area 2 - IA Activities

The IA scope of work for the USAID Security Program can be divided into three broad
categories. These are:

3
 TAC 7-3a Information Assurance and Protection

a. Core ISSPP IA Activities

b. Recurring scheduled activities.
c. Unscheduled activities.

Due to the changing nature of security requirements, the TAC Owner will, as
necessary, provide the contractor direction on conflicting work and requirement
priorities. The contractor shall provide qualified staff to support these three broad
categories. The contractor shall prepare a staffing profile, work breakdown, and
schedule as part of this TAC.

4.2.1 Core ISSPP IA Activities

The contractor shall conduct the following activities in support of the ISSO’s role of
providing IA for USAID’s enterprise.

4.2.1.1 Periodic Assessment of USAID’s ISSPP Activities

The contractor shall conduct a periodic assessment on the implementation progress of

USAID’s Information Security Program. This assessment will include alignment with
USAID’s strategic objectives, resource impacts, compliance with existing regulations,
and impacts of ISS Threats and Vulnerabilities ISS technology and capabilities. The
contractor shall include an evaluation of progress made in implementing the 10
security program areas identified in the ISSPP. The contractor shall identify and
maximize the use of current assessment reports or on-going assessment activities in
conducting this task.

The assessment shall:

1. Provide progress reports of USAID’s compliance with Federal policy and

guidance.

2. Identify ISS projects current, near-term (1 year out) and far-term (2-3 years out)
that are required to meet and or maintain OMB A-130 and CSA compliance.
The contractor shall use the Tactical Plan format for identified projects unless
otherwise directed by the government. The plan shall include rough order
magnitude (ROM) estimated resource requirements for implementation.

3. Recommendations on who, what, and how to implement identified projects

4. Incorporation of assessment results as part of the update of USAID’s ISSPP

(the management version)

The first draft of the report is to be delivered no later than 10 working days after the
end of the initial assessment. USAID will have 10 working days to respond with

4
 TAC 7-3a Information Assurance and Protection

comments; the final report is to be delivered 10 working days after receipt of USAID
comments. Unless otherwise directed by the government, non-receipt of comments
after 10 working days constitutes approval of the report.

Reports will be presented in straightforward English by avoiding whenever possible the

use of technical and government jargon and technical terminology.

4.2.1.2 Continuing On-site Risk Assessment (RA)

The contractor shall conduct periodic RA, compliance, and other ISS related
assessments across the USAID’s enterprise. This task shall include an on-site
assessment of four USAID overseas Missions as part of USAID’s mission ISS
assistance visit. The contractor shall be given a minimum of thirty- (30) calendar days’
notice of this requirement. The contractor shall prepare a schedule, work plan, and
resources estimates for this activity. The contractor shall include a rough order cost
estimate for each trip as part of the overall project plan for this TAC.

This RA assessment shall address, but not necessarily be limited to: knowledge of and
compliance with existing regulations; ISS vulnerabilities; appropriate audit tools;
appropriate use of encryption and user authentication tools; applicability of existing
ISS policies and procedures; emergency preparedness; appropriate implementation
and effectiveness of existing or planned safeguards (e.g. firewalls); adequacy of
staffing in terms of numbers of people, knowledge and experience; and, adequacy of
organizational structure, responsibilities, and authority. The RA activity shall follow the
following guidance and procedures identified in the USAID mission risk assessment
procedure handbook. As a minimum:

1. The RA report delivered by the contractor shall be based on the output of

government-approved tools or, other tools recommended by the contractor and
approved by USAID.
2. Identified vulnerabilities/risks will be ranked by risk categories “HIGH”,
“MEDIUM” and “LOW”; within the “HIGH” and “MEDIUM” risk categories the
contractor will prioritize all vulnerabilities and threats in terms of most important
to least important to be addressed;
3. Estimated resources, time frames and dependencies required for correcting or
minimizing “HIGH” risk will be included in the analysis report.
4. Prepare a briefing for USAID senior management on the results of completed
RA that will include handouts of presentation material.

The contractor shall deliver the draft of the report 25 working days after the RA event.
USAID will have up to fifteen (15) working days to provide comments on the first draft
of the report. The final shall be delivered within 10 working days after receipt of
Government comments. The contractor shall format the report of findings and
recommendations in a standard format consistent with CMM level two and higher

5
 TAC 7-3a Information Assurance and Protection

practice. Unless otherwise directed by the government, non-receipt of comments after

10 working days constitutes approval of the report.

When directed, the contractor shall prepare a briefing package suitable for USAID’s
executive management. The contractor shall deliver a draft briefing Five (5) working
days after USAID’s approval of the RA report. USAID will have Five (5) working days
to review and provide comments on the briefing package. The contractor shall deliver
the final package Five- (5) working days after receipt of the comments. The contractor
shall be prepared to conduct the briefing when requested by the ISSO.

4. 2.1.3 ISSPP Update and Maintenance

The contractor shall conduct a yearly update of USAID’s ISSPP. The update shall
include project plans submitted by the contractor for USAID approval that shall include
implementation actions, requirements for staffing, funding, personnel, calendar time
estimates for implementation, end products, performance measures, and other
relevant resources. These products shall be directly usable by USAID’s ISS Working
Group (ISSWG) and the Capital Investment Review Board (CIRB).

When approved by USAID and validated by FEDSIM, the contractor shall implement
approved and funded project plans that are appropriate for this TAC.

As part of the ISSPP update and maintenance, the contractor shall keep an ongoing
project summary that will include:

1. Scheduled and unscheduled tasks completed and in progress.

2. Tasks remaining to be accomplished and proposed schedules.
3. Staffing required for each task.
4. Report Earned Value Metrics to USAID’s MGT to track USAID’s program
compliance with OMB A-130 and with the CSA

A written, up to date project summary will be available upon request by the USAID
Task Manager or designated representative.

4.2.1.4 Network Security Operations

Until directed by the Government, IA operational activities shall be conducted as part

of this TAC. The contractor shall continue the current operational ISS support
provided to the USAID’s enterprise in the following areas:

1. Maintenance and administration of the USAID’s Redundant Metropolitan Area

Network (RMAN) Firewall(s).
2. Maintenance and administration of the USAID’s RMAN Advanced
Authentication System for remote users (SmartGate).
3. Development and maintenance of IRM’s IA knowledge database.
4. Periodic audit of the ID and password database of the USAID mainframe.

6
 TAC 7-3a Information Assurance and Protection

5. Technical consulting for USAID’s customers and partners.

6. Continuing consulting support for USAID’s anti-virus program.

4.2.1.5 Security Certification and Operational Authorization Support

The contractor shall develop and document an ISS Certification and Accreditation
(C&A) Program for USAID’s implementation. The ISS C&A program shall support the
security requirements specified by federal and USAID’s organizational policy and
directives.

The C&A program shall include approach, processes, methodologies, organizational,

and staffing requirements that may include managerial and operational support from
organizations outside of M/IRM.

The contractor shall provide security audit, certification and accreditation standards
that can be used for certification of the Agency ‘s information systems during their life
cycle. Audit, compliance and accreditation criteria will include but not necessarily be
limited to:

1. Computer operating system and application software and data protection from
unauthorized access and modification.
2. Access controls for sensitive but unclassified (SBU) data in forms.
3. Software and data backup and alternative processing requirements and
capabilities.
4. Contingency of Operation Plan (COOP).

Deliverables from this effort shall include a document that will include bulletized
security checklists for use by personnel performing the function of application system
owner and program manager, LAN manager, network administrator, and other
functions as appropriate. The contractor shall propose the appropriate level of
document required for the C&A program for USAID’s approval.

The contractor shall also support the development of the USAID enterprise security
architecture. The contractor shall ensure that key security requirements are
addressed as part of the overall enterprise engineering activity.

4.2.2 Recurring Scheduled Activities

The contractor shall conduct recurring activities in support of the ISSPP and the
ISSO’s responsibilities. These shall include as a minimum the following areas:

1. Basic Security Awareness Training - The contractor shall review existing

training materials and develop new and revised materials as required. The
contractor shall develop a training schedule, coordinate and make all
arrangements for on-site training, and conduct training as scheduled. Training
will be provided to:

7
 TAC 7-3a Information Assurance and Protection

a. new hires (contractor and direct-hire employees) for approximately one

hour every two weeks in coordination with and as part of the mandatory
security training provided by the USAID Inspector General's Office;
b. computer analysts and operational staff, up to four hours semi-annually,
who control access to computer platforms or implement security standards
(between 60 and 100 people);
c. system owners and program managers of critical and essential
information systems, up to four hours annually (between 20 and 60 - people);
d. the general USAID population that includes on-site direct-hire and
contractor personnel, up to four hours annually.

Training for on-site personnel will be given in USAID’s space. Security

awareness training information will be made available to off-site personnel via
the USAID Intranet web page.

Security Awareness training will include, but not necessarily be limited to:

a. security responsibilities of each job function,

b. any specific current threats such as viruses and alleged viruses, and hacker
or other unauthorized access incidents;
c. "what" and "how to" information on meeting individual responsibilities;
d. how to conduct compliance assessments of individual security
responsibilities
e. obtaining assistance in correcting problem areas
f. use of available security tools and resources

The contractor may have to schedule more than one class for each training
session to accommodate operational schedules.

Security awareness training will consist of scheduled class room training,

periodic USAID Electronic Bulletin Board issuance, information and check lists
available for retrieval from USAID's internal Web page, quarterly IRM
Newsletter articles, etc. Requirements of the Privacy Act, Computer Security
Act of 1987, OMB Circular A-130, and USAID policy and implementation
requirements will be covered.

The contractor shall provide to training participants printed reference materials

for each functional training category that will include a printed summary
checklist of security responsibilities. Checklist, guidelines and other relevant
material will be stored in an electronic format that is accessible by any person
authorized to access the USAID Intranet.

The contractor shall also prepare and issue evaluation forms to participants of
classroom training. The evaluation forms will be used to a) determine

8
 TAC 7-3a Information Assurance and Protection

participant's view of the training provided and b) improve usefulness and

effectiveness of training provided in future presentations. The evaluation form
will include such things as clarity/ease of understanding of material presented;
applicability and usefulness to participants; understanding of subject material;
comprehensiveness of training provided, usefulness of training materials
(handouts, overhead slides, etc.), instructor's presentation skills, and suggested
security topics for future training. The contractor will collect the training
evaluation forms and submit them to the USAIDTAC Manager or designated
representative.

2. Vulnerabilityaudits - The contractor shall conduct periodic vulnerability audits of

USAID's private and public networks that will include, but not necessarily be
limited to firewall(s), routers and servers. Audits will identify existing and
potential security vulnerabilities and the appropriateness of having the local
operations staff perform future vulnerability audits. The specific types of
equipment, quantity of each, and frequency of auditing will be determined from
approved recommendations resulting from the ISS assessment identified in
section 4.2.2. The resultant deliverable/delivery schedule from these audits will
be the same as specified in part 4.2.2 of this TAC.

3. Centralized Repository - The contractor shall develop (if necessary) and keep
up to date a centralized repository of security information and contractor
deliverables. To the extent possible, this will be an electronic repository with an
index for storage and retrieval purposes and will be kept on a USAID server
with access by both IRM Security direct-hire and USAID PRIME Team. This
centralized repository will include, but not necessarily be limited to:

a. An inventory of critical and sensitive systems, and individuals

responsible for audit and training purposes.
b. ISS assessment results.
c. Vulnerability audits and customer responses.
d. Training materials by class and or topic.
e. ISS personnel and point of contacts both internally and externally.
f. Contractor deliverables.

4. ISSPolicies and Procedures – Each TAC year the contractor shall conduct a
review, and as necessary, update Agency Information Security policies and
procedures promulgated by the Automated Directives System (ADS).

5. Emergency Preparedness - Each TAC year the contractor shall conduct a review of
the Agency's emergency preparedness program regarding:

a. Continuity of Operations / alternative processing capabilities.

b. Disaster recovery requirements.

9
 TAC 7-3a Information Assurance and Protection

The contractor shall provide a written report of findings and recommendations

for improving emergency preparedness for Agency critical systems. The
contractor may be required to provide expertise and staffing to implement
approved recommendations.

6. SecurityTest Lab - Within the confines of resource availability, the contractor

will maintain an up to date operational test lab of hardware, software and
processes that is used for, but not necessarily limited to:

a. Testing and evaluating various security hardware, software, processes and

devices compatible with but independent of the Agency's production
system.

b. Conducting security compliance and vulnerability audits and scans of the

Agency's information systems as part of an ongoing program designed to
detect, report and prevent unauthorized access / intrusion vulnerabilities.

The contractor, with USAID’s approval, may use their existing test facilities if it
provides cost benefits for USAID.

7.Data Encryption - The contractor shall provide support, as required, to

implement and maintain an operational data encryption capability for storing,
processing, transmitting, and receiving SBU data within USAID's
telecommunications network. Included in this support will be all activities required
to establish and maintain public and private encryption keys (Key management),
and promulgate information on the proper use of the encryption capability.

8.Network Access Controls

a. The contractor shall staff the operation, configuration and administrative

requirements of USAID's telecommunications network firewall equipment
and software, ensuring that user access information is kept up to date,
software is updated as appropriate, and backup data is maintained for
restoration of operation in the event of malfunction.

b. The contractor shall also provide necessary support for the implementation,
continued maintenance and administration of advanced user authentication
hardware and/or software.

Normal work hour’s operational requirements will be eight hours per day, five days
per week. Overtime and holiday work may be required and shall be approved in
advance by the USAID TAC Manager except in an emergency. The exception to this
is the operational support required for the Firewall. The contractor shall support this
requirement with 5X8 staffing and on-call emergency support.

10
 TAC 7-3a Information Assurance and Protection

9. TOP SECRET SCI Support - The contractor shall be able to provide staff to
support the operation requirements of a TOP SECRET Secure Compartmentalized
Information Facility (SCIF). More information will be provided during TAC
negotiation.

10. Incident Response Support to Office of Security - The Office of Security requires
technical ISS support and assistance to investigate potential breaches of security
in Bureaus and independent offices at USAID’s main office complex in Washington,
DC.

a. At the direction of the agency’s ISSO, a support team from the USAID
PRIME contractor will be formed to provide the necessary ISS technical
support. This technical support will focus in three areas: Identification of
compromised information and materials, the search for subject information
on identified computer resources, and the removal and sanitation of
designated information from designated information systems and
equipment.

b. In addition, with the concurrence of the agency ISSO the USAID PRIME
Security TAC 98-07 can be tasked for further assistance beyond the original
task.

c. Objectives for this task are:

(1) Protect National Security Information whose loss could result in damage
to National Security and/or loss of life
(2) Assist the Office of Security in the identification of potentially exposed
classified material, information, and documents
(3) Return network operations to normal as soon as practical
(4) Clean designated computer systems as required by the Office of Security
(5) Report findings, actions, and any follow-on information security
recommendations to IRM management, bureau/office representatives,
the ISSO, and the Office of Security officials

11. Reviews - The contractor shall conduct progress reviews of ISS projects quarterly.
By the 10th working day after this TAC monthly reporting period, the contractor shall
schedule a meeting with and provide to the TAC OWNER a written and verbal
report with any proposed work schedule changes. As approved by USAID, the
contractor will implement updated project plans and schedules and produce
required deliverables. Contractor reporting will include, but not necessarily be
limited to:

a. Planned and unscheduled activities for the reporting period.

b. Accomplishments.
c. Summary of security status.

11
 TAC 7-3a Information Assurance and Protection

d. Problems encountered and implemented and proposed solutions.

e. Contractor's evaluation of their performance for the reporting period.
f. Proposed project plan and deliverables for the next six months or to
contract/task order end, whichever is the shorter period of time.

4.2.3 Unscheduled Activities

Within the priorities determined by USAID, the contractor shall provide staff to
effectively deal with and resolve Information Security problems and issues related,
but not necessarily limited to the following types of unscheduled requirements.

1. Incident Response, that will include, but not necessarily be limited to

hacker detection/tracking, virus rumors and attacks, general questions,
technical consulting and answers regarding computer security.

2. Assistance to the Agency Communication Security (COMSEC)

Custodian, which will include but not necessarily be limited to keeping inventory
accounting records of communication security equipment, providing operational
assistance to users of COMSEC equipment, coordinating with inter- and intra-
agency personnel as required to ensure proper use and accounting of classified
equipment.

3. General requirements:

a. respond to OMB, Congressional, Management, etc. inquiries on

the status of security components or functions;
b. respond to change in management direction, new and additional
requirements. Prepare revised project plan(s), schedules and resource
requirements;
c. hardware, software, procedures and product research and
development:

1. as part of proposed hardware and software architectural changes

2. as part of proposed changes in information security practices and
capabilities
3. as part of proposed change in standard suite of user hardware
and software, and other enterprise wide network hardware and
software platforms

d. respond to security inquiries from Missions and other USAID organization

(ad hoc support)
e. provide ISS support to program funded activities in support of USAID’s
strategic objectives

12
 TAC 7-3a Information Assurance and Protection

Specific deliverables/end results will be determined at the time of assignment. The

contractor shall maintain an up to date status of activities and generate statistics and
reports as may be required.

4.3 Task Area 3 - Information Exchange Meeting and ISS Working Group
(ISSWG)

The contractor shall support the implementation and conduct of a monthly USAID
ISSWG. The contractor shall assist the ISSO in the conduct of the meeting and
provide technical support. Additionally, the contractor shall support all ISS team
offsites, periodic USAID offsites, and EXOs, Controllers, and System Managers
conferences. The contractor shall plan for a total of two (2) offsites each TAC
performance year. The contractor shall prepare and deliver minutes from these
proceedings for USAID’s review and approval.

4.4 Task Area 4 - Risk Management

The contractor shall address risks that will impact the delivery of services and products
requested in this TAC. The contractor shall identify the risks and present mitigation
options for USAID’s review, selection and approval. The contractor shall include a risk
tracking and mitigation process as part of the TAC project plan that shall be submitted.

4. 5 Task Area Five - Best Security Practices (BSP) Support

Activities

The contractor shall provide technical support as part of the USAID’s BSP activities.
Specifically, the contractor shall prepare white papers, briefings, and analysis, attend
working group meetings required to implement CIO BSP tasking.

Specifically, the contractor shall produce and deliver the reports, products, and
services identified in section 6 of this TAC.

The contractor shall support USAID’s ISSO interagency coordination as part of the
BSP. This support shall include participation at Federal INFOSEC working groups and
committees identified as necessary to support the development of the MISSP.

5. Period of Performance

This period of performance will run one calendar year from date of TAC award. There
will be three (3) optional one-year renewal periods. The overall period of performance
will not exceed the life of the USAID Prime contract. This TAC will cover the period
from May 29, 2000 thru May 31, 2001.

6. Schedule of Deliverables

13
 TAC 7-3a Information Assurance and Protection

Deliverables and schedules will be determined at the time of task assignment unless
identified elsewhere in this TAC. Reports will be provided in written and electronic
forms. USAID will migrate to a Microsoft Office environment. The contractor shall
deliver electronic versions compatible with this environment.

The contractor and the Government will monitor the timely progress of this TAC using
the following schedule of significant milestones.

Milestones/Deliverables Responsibility Date

Project Start (PS) USAID/PRIME PS

Project Plan PRIME PS + 15 workdays
Risk Management Plan PRIME PS +15 workdays
Updated ADS 545 PRIME Jan 15, 2000, April 15,
2000, July 15 2000, Oct
15, 2000
Updated ISSPP PRIME March 1, 2000
Earned Value Plots PRIME Quarterly
Monthly Project Report PRIME Monthly
Proceeding Minutes PRIME 5 workdays after event

In addition, each task area below will have specified milestones for performance and
delivery of services and products.

1. Assessments, Project Plan Development Implementation Support:

Deliverables from these tasks are defined in section 4.

2. Recurring Scheduled Activities:

The contractor will define deliverables from these tasks as part of deliverables
required in section 4.

3. Unscheduled Activities:
Deliverables and performance measures for this work category will be defined
at the time tasks are assigned.

4. Task Area 5 BSPTF Activities Support

The contractor shall deliver the following.

.
• White Papers (1minimum)
• Analysis conducted
• Meeting minutes
• Briefing Slides with supporting notes
• Proto-type web-site for review of negotiated BSPs. (6 minimum)

14
 TAC 7-3a Information Assurance and Protection

7. Security Guidance:

The contractor may be required to have access to classified information or data within
government-controlled space. Therefore, ISS contractor employees shall be required
to have a secret clearance as a minimum. The contractor shall be able to provide ISS
personnel that are clearable to the TOP SECRET and SCI level when needed. The
USAID Prime contract, form DD 254, provides security classification guidance
applicable to the contractor. No contractor employee will be granted access to any
classified information for which he or she has not been cleared.

The contractor will not be required to possess, process or retain any classified data at
the contractor-provided location. The contractor may be required to process and store
sensitive but unclassified (SBU) information/data at the contractor's site.

The contractor shall use USAID approved means to conduct remote access into
USAID’s enterprise.

The contractor shall ensure that adequate security is provided for all government
property in its possession from loss unauthorized access, modification and disclosure.
This includes USAID information and data collected, processed, transmitted, stored or
disseminated when and where under the contractor's control.

The contractor shall comply with the requirements of the USAID computer security
program as defined by the USAID Automated Directives System (ADS).

15