Department of the Army, Performance Work Statement (PWS) for National Cyber Range Complex (NRCR) Event Planning, Operations, and Support (EPOS) , May 19, 2017. Unclassified.
National Security Archive
The 2017 PWS marks the Army’s shift from ad‑hoc cyber‑tests to a formal, acquisition‑driven cyber‑range enterprise.
Source: Department of the Army, Performance Work Statement (PWS) for National Cyber Range Complex (NRCR) Event Planning, Operations, and Support (EPOS) , May 19, 2017. Unclassified. Date: May 19, 2017 Archive: BidsandBeyond.com .
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Contractual Blueprint for America’s Cyber‑War Playground
The May 19, 2017 Performance Work Statement (PWS) is a procurement document, not a technical manual or a policy directive. It was issued by the Army’s Program Executive Office for Simulation, Training and Instrumentation (PEO STRI) to solicit a contractor who would run the Event Planning, Operations and Support (EPOS) function of the National Cyber Range Complex (NCRC). The timing is crucial: the draft appears just months after the Pentagon’s 2016 cyber‑strategy overhaul and amid the rapid expansion of the DoD’s Cyber Mission Force (CMF). By 2017 the Department of Defense had already executed more than a hundred cyber‑range events, but the institutional architecture for scaling those exercises remained fragmented. The PWS therefore represents an attempt to lock down a single, accountable enterprise that could host realistic, large‑scale test and evaluation (T&E) and training events for the entire services‑wide cyber community.
From DARPA’s Prototype to an Army‑Run Facility
The document’s background section traces the NCRC’s lineage to a 2009 DARPA effort launched under the Comprehensive National Cybersecurity Initiative (CNCI) and National Security Presidential Directive‑54. DARPA built the first “secure, self‑contained environment” capable of emulating complex network topologies at scale. In 2012 the Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L)) transferred operational responsibility to the Test Resource Management Center (TRMC). The PWS notes that since that hand‑off the range has already supported roughly 140 events for DoD customers, ranging from developmental test‑and‑evaluation to mission rehearsal for operational cyber forces.
What the PWS does not say outright, but which the language reveals, is the Army’s desire to move beyond ad‑hoc, project‑by‑project contracts toward a sustained, enterprise‑level service model. The exhaustive list of requirements—program management, risk management, configuration control, security and data handling, even item unique identification (IUID)—mirrors the acquisition‑office playbook for high‑value weapon systems. By couching a cyber‑range in the same contractual scaffolding, the Army signals that cyber‑capabilities are being elevated to the status of kinetic platforms: they must be managed, maintained, and audited with the same rigor.
Who Is Writing the Rules?
The PWS is signed by the “Project Manager for Instrumentation, Targets, Threat Simulators and Special Operations Training Systems (PM ITTS)”, a sub‑office of PEO STRI. That office, traditionally responsible for flight simulators and live‑fire training rigs, now finds itself stewarding a virtual battlefield. The shift underscores a broader institutional convergence: the same acquisition professionals who once bought tank trainers are now buying cloud‑based emulation environments. Their language—phrases like “integrated performance management” and “prototype security operations”—reflects a hybrid mindset that blends traditional acquisition oversight with the agility demanded by cyber‑operations.
Reading Between the Lines
The PWS’s granular focus on “cloud computing and integration support” and “hardware/software interface design” hints at an emerging technical architecture that leans heavily on commercial‑off‑the‑shelf (COTS) cloud services. The requirement for an “Information Assurance and ICD 503 certification” indicates the range must meet stringent DoD information‑security standards, suggesting the government anticipates handling classified or highly sensitive data within the sandbox. Moreover, the inclusion of a “Visitor Support” clause—unusual for a purely technical contract—reveals the range’s dual role as a training venue for external partners, likely including allied nations and industry sponsors.
Why the Document Still Matters
Fast‑forward to 2024: the NCRC (now often referred to as the National Cyber Range) underpins the DoD’s cyber‑acquisition pipeline, feeding data into the Joint Artificial‑Intelligence Center and informing the cyber‑force’s tactics, techniques, and procedures (TTPs). The 2017 PWS laid the contractual foundation for that ecosystem. It codified the expectation that cyber‑testing will be as repeatable and auditable as a live‑fire range, a principle that continues to shape how the Pentagon budgets for cyber‑infrastructure. Analysts tracing the evolution of U.S. cyber‑capability procurement still cite the PWS as the point where cyber‑range operations moved from experimental labs into the formal acquisition lifecycle.
In short, the Performance Work Statement is more than a bureaucratic checklist; it is a snapshot of a pivotal moment when the U.S. military formalized its approach to large‑scale cyber‑exercise infrastructure. Its language captures the tension between rapid, innovative development (a DARPA hallmark) and the disciplined, risk‑averse processes of traditional defense acquisition—tension that continues to define America’s cyber‑war footing today.
PWS-2017-042
W900KK-17-NCR
19 May 2017
Draft
# PERFORMANCE WORK STATEMENT (PWS)
## FOR
# NATIONAL CYBER RANGE COMPLEX
# (NCRC)
# EVENT PLANNING, OPERATIONS, AND
# SUPPORT (EPOS)
## 19 May 2017
U.S. Army PEO Simulation, Training and Instrumentation (PEO STRI)
Project Manager for Instrumentation, Targets, Threat Simulators and Special
Operations Training Systems (PM ITTS)
12211 Science Drive
Orlando, Florida 32826-3224
United States
| Revision Level | Document Date | Summary of Change | Pages Affected |
| :--- | :--- | :--- | :--- |
| Initial | May 2017 | Sources Sought | All |
| | | | |
| | | | |
| | | | |
1
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
Contents
1. SCOPE .................................................................................................................................... 5 1.1 BACKGROUND .................................................................................................................... 5 1.2 SYSTEM DESCRIPTION ....................................................................................................... 6 2. APPLICABLE DOCUMENTS.................................................................................................... 6 3. REQUIREMENTS..................................................................................................................... 7 3.1 PROGRAM MANAGEMENT ................................................................................................ 7 3.1.1 Contractor Integrated Performance Management ................................................... 8 3.1.2 Financial Management............................................................................................. 8 3.1.3 Risk Management .................................................................................................... 9 3.1.4 Configuration Management Plan (CMP)................................................................. 9 3.1.5 Management Reviews............................................................................................ 10 3.1.6 Contractor Manpower Reporting Application ....................................................... 11 3.1.7 Organizational Conflicts of Interest (OCI)............................................................ 11 3.1.8 Visitor Support....................................................................................................... 11 3.1.9 Travel..................................................................................................................... 12 3.2 SYSTEM ENGINEERING .................................................................................................. 12 3.2.1 Range Capability, Cloud Computing, and Integration Support and Development . 12 3.2.2 Hardware and Software Interface Design and Specification................................. 13 3.2.3 Software/Firmware Design and Development ...................................................... 13 3.3 QUALITY ASSURANCE.................................................................................................... 14 3.4 TECHNOLOGY DEMONSTRATION ................................................................................. 14 3.4.1 Cyber Event Operations ......................................................................................... 14 3.5 SYSTEM MAINTENANCE REQUIREMENTS ................................................................... 15 3.5.1 Toolkit Maintenance .............................................................................................. 15 3.5.2 Hardware/Software (HW/SW) Maintenance .......................................................... 16 3.6 ITEM UNIQUE IDENTIFICATION (IUID).......................................................................... 16 3.7 SECURITY AND DATA HANDLING ................................................................................ 16 3.7.1 Prototype Security Operations............................................................................... 16 3.8 INFORMATION ASSURANCE AND ICD 503 CERTIFICATION AND ACCREDITATION ............ 16 3.9 GOVERNMENT FURNISHED PROPERTY (GFP)/GOVERNMENT FURNISHED EQUIPMENT (GFE)... 17
2
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft vv Performance Work Statement (PWS) for NCR Complex (NCRC) Event Planning, Operations, and Support (EPOS)
- SCOPE This Performance Work Statement (PWS) describes the effort to be performed by the contractor for Event Planning, Operations and Support (EPOS) at a National Cyber Range Complex (NCRC) facility. The NCRC will provide the ability to conduct realistic cybersecurity Test and Evaluation (T&E) of major Department of Defense (DoD) acquisition programs and the ability to conduct realistic training and certification events for the DoD Cyber Mission Force (CMF).
1.1 Background The U.S. Army Program Executive Office for Simulation, Training and Instrumentation (PEO STRI) has a requirement for a National Cyber Range Complex capability. In 2009, the Defense Advanced Research Projects Agency (DARPA) was tasked by the Comprehensive National Cybersecurity Initiative (CNCI) to “establish a front line of defense against today’s immediate threats by creating or enhancing…the ability to act quickly to reduce our current vulnerabilities and prevent intrusions” (National Security Presidential Directive 54 (NSPD)-54). Under the NCR program, DARPA developed the architecture and software tools for a secure, self-contained environment capable of rapidly emulating large-scale complex cyber range event environments that match the depth, diversity, fidelity and realism of real-world networks.
On October 1, 2012, the Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L)) directed the Test Resource Management Center (TRMC) to take responsibility for operations and resources of the National Cyber Range (NCR). Since then, the NCR has executed 140 events for DOD Customers. The NCR conducts Cyberspace Testing, Training and Operational Events for the full spectrum of DoD Customers including Research, Development, Acquisition, Testing, Training and Operational Cyber Mission Forces. The NCR executes wide variety of event types including Science and Technology (S&T) Demonstrations, Developmental Test & Evaluation (DT&E), Operational Test & Evaluation (OT&E), Security Controls Assessments (SCA), Cyberspace Operations Training, Cyberspace Tactics, Techniques Procedures (TTP) Development, Forensics/Malware Analysis) and Cyberspace Operations Mission Rehearsal. The NCR enables acquisition programs to conduct Cybersecurity Test and Evaluation (T&E) in a representative Cyberspace Environment to identify and close exposed vulnerabilities, evaluate resiliency and positively impact program cost, schedule and performance. The NCR also supports Training and Certification of Cyber Mission Forces in support of US Cyber Command by enabling operational forces to efficiently evaluate cyber warfighting capability in a realistic joint mission environment. Finally, the NCR is supporting in real time Overseas Contingency Operations as directed by National Authority. 3
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft vv
To meet growing demand for cybersecurity T&E and CMF training and certification, the TRMC is embarking on a program to increase cyber range capacity by creating an interconnected complex of NCR-like facilities called the NCR Complex. These new facilities will be located within government owned facilities at the following pre-selected tentative locations: Orlando, FL, Charleston, SC, Aberdeen, MD, Patuxent River, MD and Fort Walton Beach, FL, see Figure 1. At maturity, the NCRC will consist of an integrated and interoperable constellation of facilities designed to enable the planning and execution of very large-scale complex distributed cybersecurity T&E and training events. The NCRC will empower programs to conduct research experiments, development and operational tests, and operational training exercises in environments that emulate their specific computing, networking, and information systems infrastructures.
Mission: Improve the resiliency of our warfighters in the cyber-contested battlespace by conducting testing, training, and mission rehearsal events in operationally-representative cyberspace environments Nationwide NCR Network RSDP RSDP RSDP Air Land Sea Space NCR Complex Vision Distributed Access to Persistent Cyber T&E, Training, and Mission Rehearsal Key ★ = NCR Flagship ☆ = Planned NCR Instance • = Existing NCR Network Connectivity NATIONAL CYBER RANGE α + NATIONAL CYBER RANGE β + NATIONAL CYBER RANGE γ + NATIONAL CYBER RANGE δ = NATIONAL CYBER RANGE Test Resource Management Center The Right Team Enabled by the Right Technology Augmenting existing capabilities to deploy current and future systems to include avionics HW&SW, ICS/SCADA, and more. Figure 1. NCR Complex Vision
4
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
1.2 System Description Each NCRC facility will be comprised of four key elements: a secure facility, a unique security architecture, integrated tools for cyber testing, and a multi-disciplinary staff, see Figure 2. Accredited by the Defense Intelligence Agency (DIA), NCRC facilities provide efficient and affordable cybersecurity testing and training infrastructure that can operate at levels up to Top Secret/Sensitive Compartmented Information (TS/SCI). Using state-of-the-art network isolation capabilities, each NCRC will be capable of simultaneously executing combinations of up to eight independent T&E and CMF training events at different classification levels.
A Range Facility... A Network Encapsulation Architecture & Operational Procedures... NCR is: Services Include, But Are Not Limited To: End-to-End Test Support Test Bed Design Support Cyber and Testing Expertise Threat Vector Development Custom Traffic Generation Custom Sensor and Visualization Support Custom Data Analysis Services Integration of Customer Assets Software Hardware Remote Red / Blue Team Support An Integrated Software Testing Tool Suite... And an Expert Range Team... Figure 2. NCR Overview
APPLICABLE DOCUMENTS TBD
REQUIREMENTS
3.1 Program Management The Contractor shall provide the overall management and administrative effort necessary to ensure that the requirements of this contract are accomplished. The Contractor shall include provisions for technical and administrative planning, organization, coordination, resource allocation, and risk management. The Contractor shall track program progress utilizing established metrics, and share the metric and related data with the Government through the conduct of Interim Progress Reviews (IPRs) and Technical Interchange Meetings (TIMs). The 5
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
Contractor shall send agendas, briefing slides, and meeting minutes to the Government's Contracting Officer Representative (COR) and to the NCRC Director. Additionally, a weekly status report shall be supplied to the NCRC COR and to the NCRC Director by close of business (COB) every Wednesday for the entire life of the contract with formatting approved by the Government.
DI-MGMT-80227 Contractor's Progress Status and Management Report
3.1.1 Contractor Integrated Performance Management The Contractor shall develop, implement, manage to, update, and maintain an Integrated Master Schedule (IMS) by logically integrating detailed program activities. The schedule shall contain the planned events and milestones, exit criteria, and their dependencies from contract award to the completion of the contract. All contract schedule information delivered or presented at program reviews shall originate from the IMS and shall contain all critical events, predecessors and successors' events, and their dependencies.
DI-MGMT-80227 Contractor's Progress Status and Management Report
3.1.2 Financial Management The Contractor shall plan, budget, schedule, and control resources allocated to meet requirements of the contract. The Contractor shall maintain a detailed cost and schedule status of work progress on the contract and procedures for planning work, controlling costs, measuring performance, and generating timely and reliable information. The Contractor shall document and track the expenditure of all appropriated funds associated with the contract against each contract line item and sub-line item. The Contractor shall maintain integrated cost and schedule information on those subcontracts which, based on risk, schedule criticality or dollar value, have the potential to impede the successful completion of the contract.
The Contractor shall prepare, implement and utilize the Contract Work Breakdown Structure (CWBS) and performance based Contract Statement of Work (CSOW) to define the work required for the proposed products and processes. The Contractor shall identify elements of subcontracted work in the extended CWBS and may propose changes to the CWBS to enhance its effectiveness in satisfying program objectives.
DI-MGMT-81334D Contractor Work Breakdown Structure (CWBS) DI-MGMT-81651 Contract Invoicing and Payment Report DI-MGMT-80227 Contractor's Progress Status and Management Report
3.1.2.1 Program Baseline Review (PBR) The Contractor shall participate with the Government in the assessment of program risk and the degree to which the following have been established for 6
PWS-2017-042
W900KK-17-NCR
19 May 2017
Draft
applicable tasks. The PBR shall occur as soon as feasible but not later than 90-
days after contract award,
a. Technical scope of work is fully included and is consistent
with authorizing documents.
b. Project schedule key milestones are identified and supporting
schedules reflect a logical flow to accomplish the work.
c. Tasks are planned and can be measured objectively relative to the technical
progress.
d. Management processes are rational and support successful execution of
the project.
e. Resources (budget, facilities, personnel, skills, etc.) are available
and adequate for the assigned tasks
DI-MGMT-80227 Contractor's Progress Status and Management Report
DI-ADMN-81505 Report, Record of Meeting/Minutes
3.1.3 Risk Management
The Contractor shall prepare, implement, and maintain a cost, technical and schedule
risk management process which includes risk detection and identification, assignment
of risk categories, risk mitigation planning, mitigation plan implementation, corrective
action, tracking of compliance, reporting of status and planning for risk abatement.
The Contractor shall utilize the risk management process for:
a. Identification and documentation of moderate and high-risk items for each
risk assessment area to be presented at management reviews.
b. Identification and implementation of risk handling approaches and track
over time each moderate and high-risk item.
c. Documentation of risk issues that have been successfully resolved and
scheduling each open item into the program schedule.
d. Developing mitigation plans to identify the recommended critical path for
contract completion and the appropriate risk handling approach to lower the
level of uncertainty identified.
e. Recommendation of decision points in terms of cost, schedule, and
performance objectives to facilitate management and technical control.
DI-MGMT-80227 Contractor's Progress Status and Management Report
7
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
3.1.4 Configuration Management Plan (CMP) In coordination with the Government, the Contractor shall develop and execute a Configuration Management Plan (CMP) to ensure the coordinated and effective changes of the architecture at each NCRC facility are understood and documented and approved by the NCRC Configuration Management Board (NCRC CCB). The NCRC CCB shall be chaired by the NCRC Chief Engineer. The CMP shall include the objective that no proprietary or highly unique solutions will be utilized. The NCRC CCP shall approve any proprietary or highly unique solution prior to it being implemented at an NCRC facility. The CMP shall be subject to periodic review. Formal revisions and guidance will be provided at program reviews and status meetings at the direction of the COR in accordance with the intended scope of this PWS.
3.1.4.1 Engineering Change Proposals / System Engineering and Design The Contractor shall document all changes to established baselines and all changes to the requirements, including changes to the performance work statement; contract data requirements list (CDRL), the contract schedule, and the general provisions of the contract. Documentation updates shall be developed IAW the initial document format and content standards or as otherwise directed. The Contractor shall prepare and submit all documentation in accordance with the CDRL.
DI-CMAN-80639C Engineering Change Proposal
3.1.4.2 Deviations and Waivers The Contractor shall document the rationale and the potential impact of any deviation or waiver. The Contractor shall obtain approval before deviating from any Government controlled baseline.
DI-CMAN-80640C Request for Deviation (RFD)
3.1.5 Management Reviews
3.1.5.1 Post Award Conference (PAC) The Contractor shall hold a Post Award Conference at the NCRC facility within 45 days after contract award. The conference shall introduce key participants with emphasis on top level management of the program, identify points of contact and discuss both parties' understanding of the scope of work, agree on metrics that will be used as management and technical indicators, identify the partnering approach, and other contract issues. The conference materials and minutes shall be sent to the NCRC COR and to the NCRC Director. Receipt and acceptance of the required contract deliverable constitutes the goal for completion.
8
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
DI-MGMT-80227 Contractor’s Progress Status and Management Report DI-ADMN-81505 Report, Record of Meeting/Minutes
3.1.5.2 Interim Progress Reviews (IPR) The Contractor shall coordinate with the NCRC COR and NCRC Director to schedule Interim Progress Reviews (IPRs) to evaluate the status of the contract’s planned performance measurement baseline. Initially, this shall occur as soon as feasible but not later than 60-days after contract award, and subsequently on a quarterly schedule. Each IPR should verify that the Contractor is using a reliable performance measurement baseline, which includes the funded scope of work, is consistent with contract schedule requirements, and has adequate resources assigned. The Contractor shall convene the first IPR as soon as feasible but not later than four months after contract award, and subsequently on a quarterly schedule. The conference materials and minutes shall be sent to the NCRC COR and to the NCRC Director. Receipt and acceptance of the required contract deliverable constitutes the goal for completion.
DI-MGMT-80227 Contractor’s Progress Status and Management Report DI-ADMN-81505 Report, Record of Meeting/Minutes
3.1.5.3 Technical Interchange Meetings (TIMs) The Contractor shall coordinate with the NCRC COR, NCRC Director and NCRC Chief Engineer to schedule and conduct technical interchange meetings to be held at both Contractor and Government facilities. The meetings shall be co-chaired by the NCRC and Contractor Chief Engineers. The Contractor shall be prepared to explain the reasoning, assumption, and methodologies in arriving at particular conclusions, recommendations, or alternatives in the accomplishment of the tasks required by the contract. The Contractor shall prepare drawings and other documentation to aid in the presentations. The Contractor shall have all the required personnel and resources present. The Contractor shall facilitate the NCRC discussions, as necessary, to coordinate and execute this task as directed by the Government. The Contractor shall prepare the meeting agendas and document the meeting results. Except where noted herein, meetings shall be considered fulfilled when all of the following items are completed:
- A formal review meeting has been conducted.
- All action items requiring contractor response have been documented and posted.
- Submittal of TIM minutes. Receipt and acceptance of the required contract deliverable constitutes the goal for completion.
DI-MGMT-80227 Contractor’s Progress Status and Management Report DI-ADMN-81505 Report, Record of Meeting/Minutes 9
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
3.1.6 Contractor Manpower Reporting Application The Contractor shall report all contractor labor hours (including subcontractor labor hours) required for performance of services under this contract for an NCRC facility via a secure data collection site. The Contractor is required to completely fill in all required data fields using the following web address: http://www.ecmra.mil/. Reporting inputs will be for labor executed during the period of performance during each Government Fiscal Year (FY) which runs October 1 through 30 September. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each calendar year. Contractors can find User Guides, Frequently Asked Questions and may direct questions to the help desk at http://www.ecmra.mil/.
3.1.7 Organizational Conflicts of Interest (OCI) It is recognized that the effort to be performed by the Contractor under this contract may include, advisory and assistance services; a myriad of systems engineering efforts; support in the preparation of specifications and work statements; technical evaluation of other Contractors' products and services; and access to other Contractors' proprietary information. Consequently, performance of this contract may create potential organizational conflicts of interest such as are contemplated by Federal Acquisition Regulation (FAR) 9.505.
Therefore, the Contractor shall develop and maintain an OCI mitigation plan to avoid, neutralize, and mitigate real and perceived organizational conflicts of interest. This OCI plan shall be incorporated into the contract by reference.
3.1.8 Visitor Support The Contractor shall be required to host Very Important Person (VIP) visits and arrange for and provide demonstrations of system performance, program progress, and other system characteristics as required.
3.1.9 Travel Travel may be required to support the NCRC EPOS. The Contractor shall request the Government's approval for all travel requirements above and beyond NCRC cyber event planning, operations and support through advanced notice via email or weekly status report.
3.2 System Engineering
3.2.1 NCRC Capability Integration Support and Modification Upon request from the Government, the Contractor shall provide an Engineering Change Proposal to provide engineering and technical expertise to assist the Government in integrating components of other mission, technology areas and range capabilities into the NCRC architecture. The Government can initiate 1
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
Engineering Change Proposals as needed for modifications to the NCRC architecture and tool suite. The Contractor shall provide a response to include anticipated schedule and funding required to meet the Government's proposed changes. The proposed scope may include the following items:
a. Expanding or enhancing the functional architecture of the NCRC range hardware and software assets to support new technology and mission areas either on NCRC facilities or in conjunction with other cyber ranges and enterprise solutions in support of distributed missions, regardless of the physical location of the assets being evaluated during NCRC events.
b. When directed, the Contractor shall provide assessments to the Government which detail how the NCRC can be modified to support specific missions, architectures and/or environments. These assessments shall include recommendations on how to integrate the NCRC architecture and tool suite into these missions, architectures and/or environments such that the NCRC shall function as a hardware agnostic entity. These assessments shall be conducted while simultaneously maintaining the NCRC mission schedule. It is anticipated that at most one to two assessments would be conducted per year.
DI-ADMN-80925 Revisions to Existing Government Documents (Technical Data package, TDP)
3.2.2 Hardware and Software Interface Design and Specification
The Contractor shall update any changes to the interface characteristics of the NCRC subsystems and the components of those subsystems that have been modified as directed and in accordance with configuration control activities for the NCRC. Equipment interface requirements shall be communicated to programmers and to equipment designers in order to consider the impact of their designs on each other. This will include all critical NCRC hardware components and any modifications related to the NCRC interacting with other entities. Receipt and acceptance of the required contract deliverable constitutes the goal for completion.
DI-ADMN-80925 Revisions to Existing Government Documents (Technical Data package, TDP)
3.3 Quality Assurance
The Contractor shall implement and maintain a QA program using industry-accepted best practices and establish a QA process with full Government insight, subject to Government program approval. The contractor shall maintain an NCRC facility QA program IAW approved procedures. The Contractor shall maintain records of quality conformance and shall make these records available for Government review.
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
The Contractor shall maintain a structured quality control process that ensures the prompt detection of deficiencies and initiation of necessary corrective actions for any software artifacts or deliverables found non-compliant with this Performance Work Statement. The Contractor shall introduce quality controls that pertain to hardware, software, firmware, materials, and supporting technical documentation.
The Contractor shall establish measurement points that will provide maximum visibility into new and prior processes to assure contractual requirements are being met. The Contractor shall select the proper methods to analyze these processes to continuously improve the system. The Contractor shall develop management and technical metrics to assist management visibility into an adequate process control system. The Contractor shall utilize the established discrepancy tracking system with the ability to produce complete permanent records of all discrepancy or database listing. The Contractor shall establish a suspense system to ensure timeliness of analysis and corrective action for discrepancies and risk reduction items.
3.4 Technology Demonstration As required by the Government, the Contractor shall demonstrate and verify the NCRC technologies operate in a manner designed to illustrate the benefits of the range.
DI-MISC-80711A Scientific and Technical Reports
3.4.1 Cyber Event Operations The Contractor shall plan, design, deploy, execute and document the results of cyber events (e.g. DT/OT tests, training and certification activities, mission rehearsal activities) using the NCRC architecture and infrastructure. The Government shall control scheduling event execution at each NCRC facility. NCRC events may include multiple offsite participants collaborating with one or more NCRC facilities and other cyber ranges via the JMETC Multiple Independent Levels of Security Network (JMN) or the Joint Information Operations Range (JIOR), both of which have been approved for use by NCRC facilities. The following requirements shall be addressed as part of this task:
a. Provide all facilities and facility support to operate the NCRC facility at the highest security classification level approved by the Government.
b. Provide cleared staff to maintain and operate the NCRC facility and infrastructure.
c. Provide NCRC customers with pre-event support, event execution support, and post-event support in accordance with event requirements.
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
d. Provide cleared staff capable of Cyber Table Top (CTT) event planning, facilitation, execution and post-CTT data analysis and reporting to support NCRC customers in assessing and defining specific cyber range event goals and objectives.
e. Deliver the following documentation as applicable for each event and as directed by the Government:
- Pre-Event Report that outlines the basic test approach, high-level schedule, and significant risks to successful event execution.
- Detailed Event Support Plan that provides the detailed administrative and technical information required to execute the event, including: the goals and objectives; the metrics; the measurement, instrumentation, and data analysis plan; technical details, specifications and configurations of the planned event environment; and administrative (e.g. security, health and safety) information.
- Quick Look Event Report that provides a high-level summary of the test results, and significant observations regarding performance of the NCRC facility and infrastructure, major lessons learned, and actions items required to complete event closeout.
- Detailed Event Summary Report that provides an overview of the event, technical details, specifications and configurations of the actual event environment, highlights and technical accomplishments, NCRC utilization details and metrics, technical information regarding any new event-specific capabilities and content, presentation and explanation of result and any recommendations for short and long-term NCRC improvements and lessons learned.
DI-MISC-80711A Scientific and Technical Reports (Pre-Event Report, Detailed Event Support Plan, Quick Look Event Report, Detailed Event Summary Report)
3.5 System Maintenance Requirements
3.5.1 NCRC Problem Tracking and Reporting
The Contractor shall track problems and deficiencies identified during NCRC operations and work with the Government to prioritize the troubleshooting and resolution of any identified deficiencies in the NCRC architecture and infrastructure. Hardware and software updates and troubleshooting shall be conducted in an unclassified engineering environment using unclassified event data, unless the problem cannot be recreated in that unclassified system. Receipt and acceptance of the required contract deliverable constitutes the goal for completion.
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
DI-MGMT-80227 Contractor’s Progress Status and Management Report
3.5.2 Hardware/Software (HW/SW) Maintenance
The Contractor shall maintain the range, including HW/SW vendor support. The Contractor shall ensure the latest security changes are reflected on the range and that problem resolution is timely for any functional or mission related problem. This includes both the classified range infrastructure and the unclassified engineering testbeds. Range configuration changes, problem resolution, and identified issues requiring resolution shall be reported to the Government. Changes in the range design, to include the integration of the range infrastructure into distributed and/or service oriented environments, shall be similarly maintained as the changes are integrated into the NCRC mission space and architecture(s). Receipt and acceptance of the required contract deliverable constitutes the goal for completion.
DI-MGMT-80227 Contractor’s Progress Status and Management Report DI-TMSS-80527C Commercial Off-The-Shelf Manuals & Associated Supplemental Data
3.6 Item Unique Identification (IUID)
The Contractor shall work with the NCRC COR, NCRC Director and NCRC Chief Engineer to determine items requiring unique identification including Government owned embedded subassemblies, components and parts, and identify the UID to be used for each item. The Contractor shall provide unique item identification, or a Department of Defense recognized unique identification. Status will be given on the progress of this effort.
DI-MGMT-80227 Contractor’s Progress Status and Management Report
3.7 NCRC Security Operations and Data Handling
The Contractor shall adhere to the Contract Security Classification Specification (DD254) guidance and NCRC Security Classification Guide (SCG).
The Contractor shall perform the tasks as specified in the NCRC Security Procedures to ensure the on- going operations of the classified range and unclassified engineering testbeds. Range configuration changes, problem resolution, and identified issues requiring resolution shall be reported to the NCRC Information Systems Security Manager (ISSM).
DI-MGMT-80227 Contractor’s Progress Status and Management Report
3.8 Cybersecurity Assessment and Authorization (A&A)
The Contractor shall adhere to Government guidance on requested level of
PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft
accreditation and maintain Certification and Accreditation of the NCRC facility at a minimum of the TS/SCI classification level. Part of this accreditation maintenance shall include re-assessing and re-authorizing any changes in the range management and coordinating with the Authorizing Official to approve any changes in the software or hardware baseline
3.9 Government Furnished Property (GFP)/Government Furnished Equipment (GFE) The Contractor shall be responsible for the accountability, maintenance, custody, control, and storage of all GFP including GFE and Government Furnished Software (GFS) in performance of this contract.
DI-MGMT-80269 Status of Government Furnished Equipment (GFE) Report
[DRAFT]
1
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu