Functional Area Two – Information Systems Engineering

Software Development: A set of activities that results in software products. Software development may include new development, modification, reuse, re-engineering, maintenance, or any other activities that result in software products. Providing for project management, planning, design, building and implementation of client ¬specific applications, taking responsibility for achieving contractually specified results.

System Design Alternative Studies

Software Distribution, Licensing, Maintenance: The Contractor shall provide for software maintenance and/or software licenses from 3rd party vendors in support of tasks falling within this functional area

The Contractor shall provide resources to support in the development, analysis, and implementation of IT strategies, architectures, program planning and assessment, and risk, trade-off, requirements, alternatives, and feasibility studies that advance the goals and objectives of the Government.

Feasibility Studies: The Contractor shall provide resources to facilitate evaluation of a prospective project for the purpose of determining if the project should be undertaken. Feasibility studies normally consider the time, budget, and technology required for completion.

• Information Technology (IT) Strategic Planning and Mission Need Analysis
• Information Technology Organizational Development
• Information Technology Program Analysis, Assessments and Studies
• Information Technology Research and Development: The Contractor shall provide the resources to identify and research emerging technologies in the IT area. Based on this research, the Contractor shall develop and evaluate prototype solutions and present findings and recommendations to the Government for their consideration.

The defined series of tasks within an organization to produce a final outcome. Sophisticated workgroup computing applications allow you to define different workflows for different types of jobs. The workflow software ensures that the individuals responsible for the next task are notified and receive the data they need to execute their stage of the process.

The Contractor shall provide resources to support in the development, analysis, and implementation of improvements in the flow of business, work, and program processes and tool utilization.
Benchmarking/Operational Capability Demonstrations
Change Management

Typically, a CIO is involved with analyzing and reworking existing business processes, with identifying and developing the capability to use new tools, with reshaping the enterprise's physical infrastructure and network access, and with identifying and exploiting the enterprise's knowledge resources. Many CIO's head the enterprise's efforts to integrate the Internet and the World Wide Web into both its long-term strategy and its immediate business plans.
Enterprise Resource Planning Systems Development and Integration: An approach to organizational integration management that relies on integrated application software to provide data on all aspects of the enterprise, such as finance, inventory, human resources, sales, etcetera. The objective of an Enterprise Resource Planning Systems is to provide data, when as needed, to enable an entity to monitor and control its overall operation.
Enterprise Resource Systems Management
Enterprise Resource Systems Planning
Information Assurance Activities
Information Operations
Inter/Intra-Agency Enterprise Resource Planning

The Contractor shall provide resources to support any or all phases and stages of SLCM, including planning, analysis, troubleshooting, integration, acquisition, installation, operation, maintenance, training, documentation, and administration. The Contractor may be responsible for obtaining and/or supporting the necessary software, hardware, firmware, resources, etc. required for a system project.
Cost Benefit Analysis, Cost Effectiveness Analysis
Risk Analysis and Assessment
Stakeholder Analysis
Total Cost of Ownership Studies

The Contractor shall provide software engineering support (including planning, analysis, design, evaluation, testing, quality assurance, and project management) in the application of computer equipment through computer programs, procedures, tools, and associated documentation.
Software Quality Assurance

CRM entails all aspects of interaction a company has with its customer, whether it is sales or service related.

The Contractor shall provide instructional design, and modeling & simulation. Instructional Design is the systematic development of instructional specifications using learning and instructional theory to ensure the quality of instruction. It is the entire process of analysis of learning needs and goals and the development of a delivery system to meet those needs. It includes development of instructional materials and activities; and tryout and evaluation of all instruction and learner activities. Instructional Design is that branch of knowledge concerned with research and theory about instructional strategies and the process for developing and implementing those strategies. Instructional Design is the science of creating detailed specifications for the development, implementation, evaluation, and maintenance of situations that facilitate the learning of both large and small units of subject matter at all levels of complexity. Instructional Design can start at any point in the design process. Often a glimmer of an idea is developed to give the core of an instruction situation. By the time the entire process is done the designer looks back and she or he checks to see that all parts of the "science" have been taken into account. Then the entire process is written up as if it occurred in a systematic fashion.

Software Capability Evaluation (SCE) – It may be necessary on certain task orders to perform software capability evaluations (SCE). The Government may use the SCE developed by the Software Engineering Institute (SEI) Carnegie Mellon University (CMU), www.sei.cmu.edu, Pittsburgh, PA, 15213, in evaluating the contractor’s/subcontractor’s task order proposal. The SCE level required will be specified in individual task orders.
Capability Maturity Model (CMM) – The Capability Maturity Model for Software (or SW-CMM) is used for judging the maturity of the software processes of an organization and for identifying the key practices that are required to increase the maturity of these processes.
Capacity Maturity Model Integration (CMMI) – The Capability Maturity Model Integration (CMMI) provides models for achieving product and process improvement. The output of the CMMI project is a suite of products, which provides an integrated approach across the enterprise for improving processes, while reducing the redundancy, complexity and cost resulting from the use of separate and multiple capability maturity models (CMMs). To improve the efficiency of model use and increase the return on investment, the CMMI project was created to provide a single integrated set of models.

Anti-Virus Management Service enables the detection and removal of system viruses. The service scans executable files, boot blocks and incoming traffic for malicious code. Anti-virus applications are constantly active in attempting to detect patterns, activities, and behaviors that may signal the presence of viruses. AVMS enables Agencies to procure anti-virus capabilities that protect their infrastructure.
Intrusion Detection and Prevention Service (IDPS): Agency enterprise networks, like their commercial counterparts, continue to be challenged with increasing security risks. Intrusion Detection and Prevention Service (IDPS) will serve as a component of the Agency’s security infrastructure by providing an extra layer of protection for its internal networks. IDPS is a security offering that helps reduce network service disruptions caused by malicious attacks.
Virus Detection, Elimination, and Prevention: The Contractor shall provide virus detection, elimination, and prevention support.

The Contractor shall provide biometrics services including the reading of the measurable, biological characteristics of an individual in order to identify them to a computer or other electronic system. Biological characteristics normally measured include fingerprints, voice patterns, retinal and iris scans, faces, and even the chemical composition of an individual's perspiration. For the effective "two-factor" security authorization of an individual to a computer system, normally a biometric measure is used in conjunction with a token (such as a smartcard) or an item of knowledge (such as a password). Biometrics might include fingerprints, retina pattern, iris, hand geometry, vein patterns, voice password, or signature dynamics. Biometrics can be used with a smart card to authenticate the user. The user's biometric information is stored on a smart card, the card is placed in a reader, and a biometric scanner reads the information to match it against that on the card. This is a fast, accurate, and highly secure form of user authentication.

The Contractor shall provide computer security awareness and training.
Computer Security Incident Response
Computer Security Planning
Security Policy Compliance

The Contractor shall provide disaster recovery, continuity of operations, and contingency planning support, including those for software applications, which are processed on various computer platforms (e.g., personal computers, mainframes, and mini-computers.
Hot-site and Cold-site Support Services: Contractor will provide disaster recovery sites, computer systems, network resources and technical professional services to support disaster recovery test exercises and disaster recoveries within twelve (12) hours of a disaster declaration, or when Government personnel occupy the contractor’s recovery facility, whichever is sooner. Contractor personnel assigned to support the customer’s recovery exercises and recovery events shall be U.S. citizens and shall be subjected to background investigations to determine suitability for employment, and receive computer security awareness training in accordance with the Computer Security Act of 1987.
Critical Infrastructure Protection
Incident Response Service (INRS): In an effort to combat cyber attacks and crime, Agencies intend to implement Incident Response Service (INRS) as part of their security portfolio. This offering is one of the security tools that will help in responding to potential malicious attacks that can lead to service disruptions. INRS allows Agencies to complement their in-house security expertise, or obtain outside assistance with a greater depth and breadth of experience. INRS is comprised of both proactive and reactive activities. Proactive services are designed to prevent incidents. They include onsite consulting, strategic planning, security audits, policy reviews, vulnerability assessments, security advisories, and training. Reactive services involve telephone and on-site support for responding to malicious events such as Denial of Services (DoS) attacks; virus, worm, and trojan horse infections; illegal inside activities, espionage, and compromise of sensitive internal agency databases. INRS provides an effective method of addressing these security intrusions, thereby ensuring operational continuity in case of attacks. In addition, INRS provides forensics services that can assist in apprehending and prosecuting offenders.
System Recovery Support Services: The Contractor shall provide personnel resources to ensure a system recovery capability that will support Government goals and objectives. As a minimum, the Contractor must provide the capability for hot-site/cold-site recovery of all critical software programs and sensitive Government information. The requirements for system recovery support services will be based on the analysis of strategic planning factors; the strengths and weaknesses of the system, as obtained through threat assessment and risk analyses; and cost and benefit trade-offs.

The Contractor shall provide for software/hardware maintenance and/or software licenses from 3rd party vendors in support of tasks falling within this functional area.

The Contractor shall provide technical resources to define, develop, and conduct Independent Validation and Verification (IV&V) Tests for Mainframe Automation Information Security; Certification of Sensitive Systems; and Security for Small Systems, Telecommunications, and Client Server. Validation testing shall be designed to ensure that the software developed fully addresses the requirements established to provide specific operation functions. Verification testing shall be designed to determine whether the software code is logically correct for the operation functions for which it was designed. It is expected that the operational areas listed above will be contracted as separate IV&V tasks.
Certification of Sensitive Systems: The Contractor shall provide support in the certification of sensitive systems.
Mainframe Automated Information Security Support: The Contractor shall provide operational and analytical support related to security for mainframe information assets.
Security for Small Systems, Telecommunications, and Client Service: The Contractor shall provide security for small systems, telecommunications, and client server support.

Managed E-Authentication Service (MEAS) provides Agencies with electronic authentication services in order to seamlessly conduct electronic transactions and implement E-Government initiatives via the Internet. The service enables an individual person to remotely authenticate his or her identity to an Agency Information Technology (IT) system. The service shall connect to Agency networking environments including, but not limited to Agency Demilitarized Zones (DMZs) and secure LANs. Managed E-Authentication Service consists of hardware and software components that provide for remote authentication of individual people over a network for the purpose of electronic government and commerce. The service provides for the electronic validation and verification of a user’s identity and enables the use of electronic signatures over the Internet and other public networks.

Agencies intend to implement Managed Firewall Service in order to secure their internal networks. Similarly to commercial enterprises, Agencies face increasing network security risks, which they seek to mitigate. This offering is one of the security tools that will help reduce service disruptions caused by malicious access. Managed Firewall Service will prevent unauthorized access to or from private networks, such as Local Area Networks (LANs).

A type of electronic signature that is generally considered the most reliable and secure. Digital signatures use public key infrastructure (PKI) to authenticate the sender and verify the information contained in the document. With the passage of the electronic signatures act, digital signatures are expected to become increasingly popular for exchanging information, conducting transactions and signing contracts over the Internet. The Contractor shall provide a set of policies, processes, server platforms, software, and workstations used to administer certificates and public-private key pairs, including the ability to issue, maintain, and revoke public key certificates. The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. The PKI consists of systems which collaborate to provide and implement the PCS and possibly other related services. The term generally used to describe the laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction.

Secure Managed Email Service (SMEMS) provides Agencies with a complete secure and fully managed email security solution. Email security solutions implemented at Agency gateways and desktops usually attempt to handle events that have already breached the network. Any delay in applying security updates to this infrastructure exposes the network to rapid outbreaks and dynamic threats. SMEMS offers an additional layer of protection by proactively scanning and monitoring email traffic at the contractor’s security platform, before it enters the Agency’s network. The service supports email security functions such as Anti-Virus Scanning, Anti-Spam Filtering, and Content Control. Security engines are continuously updated to maintain effectiveness against threats and inappropriate material. SMEMS works in conjunction with existing Agency email systems, and is implemented without additional investment in hardware and software at Agency sites.

Quantitative Risk Analysis of Large Sensitive Systems: The Contractor shall provide support in performing quantitative risk analyses of large sensitive systems, generally including the risk analysis package as an attachment to the system security plan.
Vulnerability Scanning Service (VSS): Vulnerability Scanning Service (VSS) allows agencies to conduct effective and proactive assessments of critical networking environments, and correct vulnerabilities before they are exploited. This offering helps to guard Agency systems and network infrastructure against emerging threats.