NOAA Training Manager

THIS IS NOT A SOLICITATION.  This is a Request for Information (RFI) for planning purposes only and is issued in accordance with Federal Acquisition Regulation (FAR) 52.215-3 Request for Information or Solicitation for Planning Purposes (OCT 1997).No solicitation document exists at this time. Issuance of this notice does not constitute any obligation on the part of the Government to procure these items or services or to issue a solicitation. In addition, the Government is under no obligation to pay for information submitted in response to this RFI, and responses to this notice cannot be accepted as offers. Any information that the vendor considers proprietary should be clearly marked as such. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.The Department of Commerce (DOC), National Oceanic and Atmospheric Administration (NOAA), Acquisition and Grants Office (AGO), Eastern Acquisition Division (EAD) is seeking

information from industry in order to inform NOAA on different approaches and solutions to procure a commercial Information Technology (IT) product that would require minor professional services to customize for data entry options.The anticipated NAICS code for this requirement is 541519– Other Computer Related Services, with a size standard of $25,500,000.00.  The Government requests capability statements from interested sources that address the below requirements. All interested sources shall submit a capability statement that shall be considered by the agency. To be eligible, vendors must be registered with the System for Award Management (SAM): https://www.sam.gov/portal/public/SAM/##11. Interested sources can obtain a DUNS number by calling 1-800-333-0505. Capability statements will be due on April 9, 2020 by 1:00PM EDT. Capability statements shall not exceed 15 pages in total. Capability statements will be accepted electronically (using PDF or Microsoft Word) at the following email address: Jonathan.Sayoc@noaa.gov.Submitted capability statement shall include the following:Company name and addressDUNS numberSize of business according to NAICS 334519 (e.g. Large Business, Small Business, 8a, Veteran Owned Small Business, Service Disabled Veteran Owned Small Business, HubZone, Small Disadvantaged Business, or Woman Owned Small Business) as validated by SAM.Company point of contact – Name, Phone Number, and Email AddressCountry that the proposed solutions are manufactured/developed inTerms of standard commercial warrantyAny General Service Administration (GSA) schedule, Government Wide Acquisition Contract (GWAC) or Multiple Award Contract numbers and information that allow for the ordering of the proposed solutionGeneral RequirementsGeneral Information Technology (IT) Requirements:Provide different permission levels for individual personnel, supervisors, and training management personnelAbility to work offline and then sync once connected to networkData synchronized between individual workstations and cloud environmentDemonstrate System Reliability (system uptime and stability) and provide reports to NOAA IT detail uptime    Application hosted using NOAA’s Cloud infrastructure; any alternate Cloud vendor must be Cloud FedRamp Certified to a moderate level and approved in advance by the governmentSoftware shall be COTS software readily availableProvide historical update size and bandwidth requirements for daily operations and software updatesSynchronization and or data transfer must be controllable (ability to throttle bandwidth usage, schedule transfer and or sync times) and work within a high latency low bandwidth environment (128kb or less with up to 1100 millisecond latency times)  Section 508 compliance: Must be accessible to people with disabilities.  IT Security Requirements:Please refer to NIST Special Publication 800-53 (Rev. 4) for compliance with referenced Access Controls (AC), System Communications (SC), Risk Assessment (RA), and System Integrity (SI) requirements below.Users (Access Controls):No Foreign National developers (or development conducted or code stored external to CONUS) per Departmental Administrative Order DAO 207-12Access Control (AC-2): Must allow for implementation of 2 Step Verification utilizing Department of Defense Common Access Card (CAC) and certificates including PIV-I certificatesSeparation of Duties (AC-5): Must provide isolation of privileged & unprivileged accessLeast Privilege (AC-6): System configured to allow the least privileges required to fulfil the requirementsComputer (System and Communications Protection):Information and Shared Resources (SC-4)Warning banners (AC-8)Application Partitioning (SC-2): Application server must separate application and user functionality (including user interface services) from information system management functionalityTransmission Confidentiality and Integrity (SC-8): Application server must support VPN whenever remote connections are established from outside the system boundaryCryptographic Protections (SC-12/13): Application server must utilize encryption algorithms for sensitive information at rest and in motion must be FIPS 140-2 compliant; data must maintain encryption from endpoint to endpoint at every hop.Vulnerability Scanning (RA-5): Application server must be compatible with Tenable Nessus for vulnerability scanningFlaw Remediation (SI-2): Application server must remediate vulnerabilities and apply patchesMalicious Code Protection (SI-3)Auditable Security Logs (AU)Baseline Configuration (CM-2): Application server must be Operational under DISA STIG configurationsApplication:All web traffic transmissions must use validated and approved certificates; site must be configured for HTTPS-only with HSTS as well as all other BOD 18-01 directivesInformation Input Validation (SI-10): Input forms reject buffer overflows, code injection, erroneous & unexpected inputEncode HTML OutputInformation Retention and Handling (SI-12): Meet DOC and NOAA data retention policy for the class of data being storedWarning banners (AC-8): NOAA approved warning banners required with acknowledgement prior to access sensitive information, PII, BII and HIPAACompatible with OMAO Data Loss Prevention (DLP) software agents No use of Kaspersky-branded Products per 44 U.S.C. 3553(d)–(e)No foreign developed or maintained software application.All application software must be approved through the OMAO Configuration Approval Board prior to acceptanceAll software and sub-software must be licensed and supportedFunctional Requirements:Personnel Profiles:Creation and management of individual personnel profiles, e.g.:Current PositionCurrent OrganizationCurrent Duty StationCurrent AssignmentMedical StatusLicenses & CertificationsCompleted TrainingTraining Requirements:Ability to load license, certification, and training requirements by positionAbility to load training requirements by assignment (e.g., individual ships)Ability to identify which requirements also necessitate an associated document for uploadDocument StorageUpload and storage of the following artifacts for each profileVendor Profiles:Creation and management of vendor pool:Vendor NameType of TrainingLocation of TrainingCost of TrainingQuality of TrainingAbility to bulk upload and associated multiple types of training with single vendorInclusion of form for end-user to rate quality of training on scale from 1-5Ability to generate dashboards and run reportsActive and outstanding licenses and certificationsRequired, scheduled, completed, and outstanding trainingsOrganizational training plan for the upcoming fiscal year