The Alert & Warning System (AWS) services in support of the USCG's system

Added: Apr 27, 2017 3:34 pm This is a Sources Sought notice. This is NOT a solicitation for proposals, proposal abstracts, or quotations. The purpose of this notice is to obtain information regarding: (1) the availability and capability of qualified business sources; (2) whether they are small businesses; HUBZone small businesses; service-disabled, veteran-owned small businesses; 8(a) small businesses; veteran-owned small businesses; woman-owned small businesses; or small disadvantaged businesses; and (3) their size classification relative to the North American Industry Classification System (NAICS) code for the proposed acquisition. Your responses to the information requested will assist the Government in determining the appropriate acquisition method, including whether a set-aside is possible. Background:The Department of Homeland Security (DHS), U.S. Coast Guard C4IT, Operations Systems Center (OSC) has a requirement for a commercial off the shelf alert notification system.

Requirements: 1. Availability and Redundancy a. Technical SupportThe Vendor or agent shall provide continuous on-call and/or on-site technical support on a 24-hours-per-day / 7-days-per-week / 365-days-per-year basis. The maximum response time is 2 hours for any issues pertaining to the backend messaging service. b. Changes and Modifications The Vendor or agent shall make changes and modifications to the backend service as necessary to support additional communications channels and requirements of the Operations Systems Center (OSC) on behalf of the federal government. Changes to the backend service production system shall only commence after coordination and approval from the OSC POC. c. System Administration The Vendor or agent shall administer a stable, reliable instance of the backend service with 99% availability. The Vendor or agent shall provide general system administration, monitoring, and system level support in order to meet or exceed the required availability and security requirements as referenced in Section 2, #9, Certification and Accreditation. d. RedundancyThe Vendor or agent shall position the backend service in redundancy locations to preclude damage or impact by local events and shall deploy the service with "hot failover" configuration (a standby system that is immediately available to accept user connections after a production system fails) across multiple data centers. e. Documentation The Vendor or agent shall provide immediate (30 minutes) notification to the USCG government POC if the system experiences any unscheduled downtime and shall provide a preliminary downtime report/summary within 12 hours. The final downtime report/summary is expected to be delivered within 10 working days of the downtime occurrence. f. Uptime AvailabilityThe Vendor or agent shall uphold a minimum 99.99% uptime availability for the backend service. NOTE: The final contract will contain a penalty clause if Vendor is unable to meet the uptime availability percentage for the backend service g. Disaster Recovery PlanThe Vendor or agent shall provide a disaster recovery plan for the backend service, up to the USCG firewall, and for any functions and/or processes that, if the service became unavailable for whatever reason, would render the system unusable. 2. Security a. Support ServiceThe Vendor or agent shall provide, install, manage, and maintain all necessary hardware, software (including firewalls), software licenses, and necessary support services to run the backend service portion of the alerting system at the Vendor Site. b. Vulnerability ScansIf applicable, the Vendor or agent shall perform vulnerability scans on a regular basis to ensure compliance and successful implementation of Information Assurance Vulnerability Alert (IAVA) policy, per the DISA IAVA Process Handbook, for the backend service. The Vendor or agent shall be responsible for mitigating and/or remediating all Plan of Action & Milestones (POA&M) from vulnerabilities identified in scheduled scans of the backend service. The Vendor shall also assist USCG-OSC Martinsburg to mediate POA&M items that result from vulnerability scans performed on the front-end application by providing patches/upgrades for USCG-OSC Martinsburg to apply. c. C&AIf applicable, the Vendor or agent shall be responsible for ensuring its backend service adheres to the Nation Institute of Science and Technology (NIST) certification and accreditation (C&A) per Special Publication 800-37. To ensure the front-end application patches/upgrades to the front-end application for USCG-OSC Martinsburg to apply. d. FirewallThe Vendor or agent shall ensure that the backend service is protected by a NIST-compliant firewall with logging enabled per Special Publication 800-41 and monitored by an Intrusion Detection System (IDS) that is able to submit reports to USCG if inappropriate activity is discovered. e. DHS HardeningThe Vendor or agent shall configure and secure the backend service environment using all applicable DHS Hardening Guidelines. f. Updates and PatchesThe Vendor or agent shall install current software specific updates/patches for continuous operation of the backend service. g. AccessThe Vendor or agent shall perform monitoring of the backend service for any unauthorized access at the server level and perform log file reviews/reporting which shall be made available to the USCG. h. EncryptionThe alert notification system shall support current NIST requirement for Advanced Encryption Standard (AES) per Federal Information Processing Standards (FIPS) i. Certification and Accreditation (C&A)The alert notification system shall be FISMA-certified and accredited and the Vendor or agent shall be able to align with DHS and USCG security requirements and ensure GIPS compliance if currently not certified by other recognized federal organizations. The Vendor or agent shall provide evidence of previous and/or current certification from DHS/DoD/NIST/FISMA or other recognized federal organizations. j. Disable FeaturesThe Vendor or agent shall provide a service with base functionality that can be enabled or disabled as needed. k. Customization The Vendor or agent shall make changes implemented for other customers available to the alert notification system to prevent customization. l. Cloud Services The alert notification system shall be FedRAMP-certified and accredited and the Vendor or agent shall be able to align with DHS and USCG security requirements and ensure FedRAMP compliance if the solution involves a Cloud Service. 3. Functionality a. Enterprise ArchitectureThe alert notification system shall adhere to NIST's recommendations for Securing Web Services per Special Publication 800-9 and the USCG's approved Enterprise Architecture and Service Oriented Architecture. b. TrackingThe alert notification system shall track, in real-time, all alerting activities for each individual recipient, including sending, receiving and responding to alerts, and shall be able to directly transmit status reports to the alert notification system front-end application. c. Call Back Number The alert notification system shall display the unique call back number, as created by the sender, when sending outbound voice and fax notification. d. Interactive Response Model The alert notification system shall support an interactive response model which would require the backend service to acknowledge positive human intervention for confirmation of notification receipt over voice channel (turn off voice recognition component). e. Short CodeThe alert notification system shall reflect that all SMS alerts will appear to be sent from the short code provided by the USCG. f. ConfirmationThe alert notification system shall provide positive confirmation of alert receipt over the voice channel, the e-mail channel, the SMS channel. g. Delivery Channels The alert notification system shall support alert notifications to end-users (recipients) over the following delivery channels: • E-mail • Voice (public switched telephone network (PSTN), Voice over Internet Protocol (VoIP), cellular, satellite) • SMS alerts to mobile devices and/or pages • Fax • Other Vendor provided delivery channels h. Character Limit The alert notification system shall allow administrators to set character limit for an alert message. i. Short Message ServiceThe alert notification system shall send and receive acknowledgements of alerts via the SMS channel regardless of specific cellular carriers. j. FaxThe alert notification system shall support the dissemination of messages via fax. k. Phone CarriersThe alert notification system shall support the dissemination of outbound alerts over domestic and international carriers. l. Caller IDThe alert notification system shall display USCG identification information via caller ID when sending outbound voice notification and a predefined call back number (e.g. Caller ID - name and phone number) m. Channel SequenceThe alert notification system shall have the capability to define communication channels, sequence of those communication channels, and failover/escalation times between those communication channels for individual alerts. The alert notification system shall also be capable of sending alerts on all channels simultaneously. n. Response ContentsThe alert notification system shall provide the contents/body of the positive confirmation of receipt over the SMS and e-mail channels, if confirmation is returned via SMS or e-mail reply. o. URL DisplayThe alert notification system shall support the proper display of URLs in messages sent via e-mail (e.g. http://homeport.uscg.mil would be displayed as "Homeport Home Page") and for SMS channels, the messages shall be tagged with the USCG short code. p. ConfirmationsThe alert notification system shall not consider "Out of Office" or "Mailbox Full" replies as confirmation of receipt over the e-mail channel. q. Number of RecipientsThe alert notification system shall allow for the sending of an alert notification to a minimum of 25,000 recipients in one hour. r. Delivery TimeThe alert notification system shall be able to deliver all alerts in one hour to a minimum of 25,000 recipients which includes a minimum 6,000 phone calls. s. Data IntegrityThe alert notification system shall ensure that all information sent or received by the backend messaging service will not be stored or changed by the Vendor. t. International Phone NumbersThe alert notification system shall support international numbers for delivering notifications to individuals (or entities) outside of the United States. u. Multiple Languages The alert notification system shall support multiple language delivery options (e.g. English and Spanish) and English dialects when sending an alert. v. Text-to-Speech The alert notification system shall support text-to-speech (TTS). The TTS shall be trainable for abbreviations in multiple languages (e.g. "COTP" vs. "C.O.T.P."). w. Recipient AuthenticationThe alert notification system shall require an option for secure recipient authentication before alert delivery. System shall have the capability for secure recipient password authentication before alert message delivery ("non-repudiation"). x. Previewing Messages The alert notification system shall require an option for secure recipient authentication before alert delivery. System shall have the capability for secure recipient password authentication before alert message delivery ("non-repudiation"). y. Cancelling AlertsThe alert notification system shall be capable of allowing alert producers to cancel an alert in progress. z. Spell CheckThe alert notification system shall provide Spell Check functionality for alerts. aa. PollingThe alert notification system shall be able to customize alert responses for polling and reply purposes (e.g. Press 1 if You are Sheltered in Place, Press 2 if You Need Assistance, etc). bb. Phone StatusThe alert notification system shall be able to distinguish and display specific phone statuses such as live persons, voicemails, busy signals, invalid numbers, and operator intercepts. cc. Message Templates The alert notification system shall provide alert producers with the ability to save templates that can be activated for drills, scenarios, or other events. dd. Geographic Information System (GIS) The alert notification system shall have the ability to select alert recipients based upon a geographic map interface. ee. Dynamic Group ListsAlert producers shall be able to create lists ad hoc by searching for recipients based on defined attributes and have the list automatically update memberships whenever the list is selected. ff. Hierarchical PolicyThe alert notification system shall support a permission-based access to allow users at different levels/units in the organization to have different access and view capability (e.g. Captains of the Port (COTPs) and Districts, HQ hierarchy). USCG Headquarters users will maintain unrestricted global access to allow for alerts to all USCG personnel. 4. Technical a. Section 508The Vendor or agent shall demonstrate that visual alerts delivered to end users adhere to Section 508 of the U.S. Rehabilitation Act Compliance and can therefore be accessed using assistive technology such as job access with speech software. The Vendor or agent shall provide reference that such capability has been accepted to be compliant with Section 508 requirements by at least one other United States government agency. b. Server-based ArchitectureThe alert notification system shall have a server-based architecture which would allow central alert activation, control and management. Front-end application servers will be housed on Coast Guard Data Network and be integrated with the USCG's user directory (support for LDAP and Active Directory integration is required). c. Management ApplicationThe alert notification system shall incorporate a Vendor-supplied web-based site and system administration tool to allow access to the system's capabilities, based on user permissions per the defined access policy. d. User Directories The alert notification system shall provide integration with multiple external user directories for import and synchronization of end user information. After the integration is complete, the alert notification system shall automatically import end-user information from such sources as USCG Active Director (AD) or the established USCG system of record - independent of administrator intervention. e. Communication Ports The alert notification system shall support confirmation of standard communication ports such as 443 for HTTPS, etc. Any assertion to use non-standard ports must be approved in writing with Perot Systems prior to implementation and be identified in the alert notification system implementation plan. f. Industry StandardsThe alert notification system shall use industry standards, such as web services and XML, to integrate with other applications and be SOA compliant. g. User PermissionsAccess to the alert notification system management application shall be role and permission based. Users who do not have the appropriate permissions shall not be able to view or access the system's functionality. h. AuditingAll the alert notification system administration and alert activation activity shall be recorded and maintained in a central repository. The audit log shall include all failed logins and message deliveries. The following should be included: • User-ID • Action Type • Transaction Type • Source IP 5. Company & Personnel a. Personnel QualificationsThe Vendor must provide information describing past performance, data and references, and the qualifications of the team working on this project (to include resumes of all members who would be involved in the project) and how the tasks described above would be carried out. In conformance with AIS (Automated Information Systems ) security policies, all subcontractors or professional services personnel working onsite at the OSC facility will be required to have a company-sponsored security clearance or background investigation unless they are escorted at all times and do not require direct access to the USCG systems. b. Maintenance The Vendor or agent shall provide one (1) year of maintenance (patches, upgrades, etc.) and 24/7 system technical support with an option to extend the maintenance schedule 5 years with a 1-year commitment at a time. Any maintenance to the front-end application servers shall be performed solely by the USCG-OSC Martinsburg. Any Maintenance to the backend service servers shall be performed solely by the Vendor. c. Upgrades Any COTS product upgrades to the front-end application servers shall be supplied solely by the Vendor, and be solely applied by USCG-OSC Martinsburg. Any upgrades to the backend servers shall be performed solely by the Vendor. The Vendor or agent shall provide upgrades to the alert notification system during the warranty period at no additional cost. d. Company OverviewThe Vendor or agent shall provide a brief overview of the company's history, products, services, and customer demographics; and also provide a list of current or former federal contracts. e. HostingThe Vendor or agent shall be able to provide flexible hosting options (e.g. decoupling application from backend services, redundancy, etc.). f. Training The Vendor shall provide technical training and service support during system implementation to USCG-OSC Martinsburg technical personnel (6) to assist with deployment and implementation of the alert notification system. This would include the training of 50 people at 9 Districts and 2 Areas. g. ImplementationThe Vendor or agent shall provide experienced personnel to assist OSC personnel in developing an implementation project plan and system design, and to participate in the installation and testing of the overall implementation. The Vendor or agent shall provide weekly updates, in-person and/or teleconference, to the alert notification system Program Manager to provide a complete status of each project milestone during the project implementation phase. Anticipated Period of Performance:It is anticipated that a firm-fixed-price purchase order will be issued with a base period of twelve (12) months and three (3) twelve (12) month options for a total of forty-eight (48) months. Capability Statement/Information Sought:Interested qualified small business organizations should submit a tailored capability statement for this requirement, not to exceed 5 pages (12-point font minimum), including all attachments, resumes, charts, etc., that clearly details the ability to perform the aspects of the notice described above. Capability Statement must include an indication of current certified small business status, and clearly marked on the first page of the capability statement, as well as the eligible business concern's name, point of contact, address, and DUNS number. Information Submission Instructions:Please submit the above information through email to Contract Specialist Brenda Oberholzer at Brenda.E.Oberholzer@uscg.mil. Please submit your information as soon as possible but no later than May 12, 2017 at 2:00pm Eastern Standard Time (EDT). All submissions shall reference the following within the subject line of their email: "Sources Sought Response HSCGG3-17-PWE007 - (Insert name of Company)". Interested qualified small business organizations should submit a tailored capability statement for this requirement, not to exceed 5 pages (12-point font minimum), including all attachments, resumes, charts, etc., that clearly details the ability to perform the aspects of the notice described above. Capability Statement must include an indication of current business size status/socio-economic status, clearly marked on the first page of the capability statement, as well as the eligible business concern's name, point of contact, address, and DUNS number. Disclaimer and Important Notes:This notice does not obligate the Government to award a contract or otherwise pay for the information provided in response. The Government reserves the right to use the information provided by respondents for any purpose deemed necessary and legally appropriate. Any organization responding to this notice should ensure its response is complete and sufficiently detailed to allow the Government to determine the organization's qualifications to perform the work. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. After a review of the responses received, a pre-solicitation synopsis and solicitation may be published in Federal Business Opportunities. However, responses to this notice will not be considered adequate responses to a solicitation. Confidentiality: No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s). Added: May 03, 2017 7:45 am Additional Background: The services are currently being provided by 1) SNAP Inc via task order HSCGG3-16-J-PWE007 at a value of $1,031,333.44 and a period of performance of 9/1/2016 through 8/31/2017; and 2) SNAP Inc via task order HSCGG3-16-J-PWV002 at a value of $969,203.33 and a period of performance of 8/1/2016 through 7/31/2017.