Attachment 1 Draft SOO - FAACO - Federal Aviation Administration ...

Federal Aviation AdministrationAir Traffic OrganizationInformation TechnologyStatement of ObjectivesForEnterprise Messaging SystemSIR #PRESOLICITATION DRAFT

TABLE OF CONTENTS1 PURPOSE ...................................................................................................................................12 BACKGROUND.........................................................................................................................13 CURRENT ENVIRONMENT ..................................................................................................14 OBJECTIVES.............................................................................................................................25 SCOPE.........................................................................................................................................35.1 PERIOD OF PERFORMANCE.....................................................................................................35.2 SCHEDULE.............................................................................................................................46 CLOUD MESSAGING SERVICE REQUIREMENTS .........................................................47 SECURITY AND PRIVACY ....................................................................................................48 IMPLEMENTATION................................................................................................................68.1 PROJECT COMMUNICATIONS .................................................................................................68.2 TRAINING ..............................................................................................................................79 ADDITIONAL FEATURES, FUNCTIONS AND CAPABILITIES.....................................710 PROJECT MANAGEMENT AND OPERATIONAL SERVICES.......................................810.1 PROJECT MANAGEMENT SERVICES .......................................................................................810.2 OPERATIONS & MAINTENANCE (O&M) SERVICES................................................................910.3 TIER 3 HELP DESK SUPPORT SERVICES .................................................................................910.4 SERVICE LEVEL AGREEMENTS (SLA’S) ................................................................................911 TECHNICAL INTEGRATION AND OTHER TASK SUPPORT SERVICES ................1012 REFERENCED DOCUMENTS .............................................................................................12SIR # Presolicitation Draft Page SOO-i

STATEMENT OF OBJECTIVES1 PURPOSEThe purpose of this Statement of Objectives (SOO) is to set forth the overall acquisition objectives,operational assumptions, and performance requirements for the Federal Aviation Administration’s(FAA) Federal Community cloud messaging service and other additional services. For purposesof this SOO, the cloud messaging service includes standard email features and functions,email attachments, instant messaging, contact lists, calendar contents, and to do/task listsusing a Federal Community cloud. (See NIST SP 500-292 and SP 800-145 for definitions ofkey concepts and characteristics of cloud services). The detailed performance requirements willbe established in a Performance Work Statement (PWS), system/service compliance requirements,delivery schedules, and other supporting documentation that will be proposed by the Contractor,negotiated and accepted by the Government, and incorporated into the contract.2 BACKGROUNDOn June 8, 2010, the Office of Management and Budget (OMB) directed that agencies evaluate thepotential to adopt cloud computing solutions by analyzing computing alternatives for theirinformation technology (IT) investments in FY 2012. Agencies are expected to adopt cloudcomputing solutions where they represent the best value at an acceptable level of risk. On February8, 2011, the U.S. Chief Information Officer established a “Cloud First” policy and directed agenciesto re-evaluate technology sourcing strategies and take full advantage of the benefits of cloudcomputing to maximize capacity utilization, improve IT flexibility and responsiveness, and tominimize cost.The FAA’s current messaging system is a client-server based solution that uses the IBM LotusNotes and Lotus Domino product line. Support is provided under a ten-year contract, currentlyoperating under negotiated extensions. In conducting its budget, business case, and requirementsanalyses, the FAA has determined that this traditional client-server approach to its messagingsystem does not meet its need to access any data, anywhere, anytime, using any device, in the mostcost effective way. As a result, the FAA is addressing this challenge with its first entry into thecloud by transitioning to a seamless enterprise-wide Federal Community cloud messaging servicefor its approximate 60,000 users. This first entry point into the cloud will be carried out through aphased approach to assure smooth transitions from its current infrastructure environment to cloudservices. Other additional services, as described in this SOO, will be considered within this context.3 CURRENT ENVIRONMENTThe messaging system supports approximately 60,000 users located in FAA’s Headquarters, Field,and Regional Offices (see www.FAA.gov for organizational details).Electronic Messaging Services - Software products and data characteristics include the following:IBM Lotus Notes 8.0.2 (client)IBM Lotus Domino Release 8.5.1FP4 (server)SIR # Presolicitation Draft Page SOO-1

STATEMENT OF OBJECTIVES IBM Lotus Sametime Release 7.0.2FP2 HF88 IBM Lotus Sametime 7.5.1 CF1 Iron Port Email Security Appliance; Simple Mail Transfer Protocol (SMTP) Relay andbuilt-in antivirus/reputation filtering/Spam filtering; SMTP; Multipurpose Internet MailExtensions (MIME) Messaging data to be initially migrated includes up to 250 megabyte of data (personalmailbox) per user account (60,000 user accounts) A single access point will be provided to the Contractor for data migration FAA sends approximately 1,000,000 emails daily with messages averaging 200kilobytes in size. FAA also sends approximately 22,000 instant messages daily, ofwhich about 7,500 are concurrent.Collaboration Services – Software products and data characteristics include the following:Microsoft SharePoint Enterprise40 - 50 terabytes of data; production environment (7.4 terabytes) expected to double intwo to five (2 – 5) yearsInterfaces with other FAA systems; currently use Bamboo Ultimate Suite.Mobile Access – Via interface with the following:Blackberry Enterprise Server (BES)FAA may use a Mobile Device Management system/service (MDM) in the futureVarious FAA mobile device pilots currently in place or under consideration that may becontinued or expanded (e.g., tablets, smartphones, etc.).Helpdesk Infrastructure – The FAA's Tier 2 Help Desk includes approximately 40 personneloperating in 10 National Regions, referred to as Virtual/ Regional Messaging Administration Teams(VMAT/ RMATs). The Contractor will be expected to interact with this group by providing Tier 3Help Desk support. The VMAT/RMATs use a variety of tool suites, including BMC Remedy.4 OBJECTIVESImproving FAA’s messaging service to meet the expressed needs of customers is the key criticalelement of this acquisition. To this end, the FAA is pursuing the acquisition of an outsourced,Federal Community cloud messaging service. The cloud messaging service must respond to themain objective of accessing any data, anywhere, anytime, using any device, in the most costeffective way. Cloud computing responds to this need because it enables convenient, on-demandnetwork access to shared computing resources that can be rapidly provisioned and released withminimal management effort or service provider interaction.The cloud messaging service must meet all specified requirements and performance standards, offerthe flexibility, resiliency, reliability, and contingency features to meet FAA’s needs, and providestate-of-the-art technology and security measures to improve the end-user experience and minimizeSIR # Presolicitation Draft Page SOO-2

STATEMENT OF OBJECTIVESservice disruption. Minimum or no software development work is expected, and the cloudmessaging service should require minimal effort to interface with other FAA systems.The objectives that the FAA expects to achieve in this acquisition include the following:Improved customer satisfaction by providing a robust, modern, well-established, cloudmessaging service that meets all specified service level requirements and performancemetricsProvision of a cloud messaging service that offers flexibility to adapt to emergingtechnology, organizational transformation, and expanded use of mobile user devicesSeamless transition executed by effective program oversight, including timely and accuratecommunications with various levels of the organization, provisioning of several types oftraining to accommodate different audiences, and management reporting of project cost,schedule, and risksMaximum integration of the cloud messaging service with other cloud and non-cloudservices, with minimal user burdenCompliance with all applicable laws and Federal regulations regarding security and privacysafeguards, to include the Federal Information Security Management Act (FISMA), PrivacyAct, and relevant FAA Orders; and other relevant mandates such as the Freedom ofInformation Act (FOIA) and the electronic discovery (eDiscovery) requirements of theFederal Rules of Civil ProcedureReduction of FAA’s in-house system maintenance costs by transferring responsibility forservice-related functions to the cloud service provider.5 SCOPEAs agreed-upon in the contractual Performance Work Statement (PWS), the scope of thisacquisition includes a cloud messaging service, additional cloud services, and all the servicesrelated to transition, implementation, and operation that meet the requirements set forth in this SOO.The Contractor is responsible for any necessary third party licensing, specialized productconfigurations, facilities, networks, internet access, support services, and related communicationsinfrastructure necessary to deliver and sustain the service, except that the Contractor is notresponsible for licenses of products purchased by FAA.5.1 Period of PerformanceThe period of performance is for a base period of one-year from the contract award date with six,one-year options. Delivery within this period of performance and terms of exercising the optionsare specified in the contract.SIR # Presolicitation Draft Page SOO-3

5.2 ScheduleSTATEMENT OF OBJECTIVESThe FAA requires that cutover and full transition to the cloud messaging service of all active useraccounts will occur within 12 months of contract award. The Contractor is required to develop andadhere to an implementation schedule as part of the Transition Plan which effectively mitigatesrisks while achieving the program goals of FAA.6 CLOUD MESSAGING SERVICE REQUIREMENTSThe FAA requires a cloud messaging service that incorporates leading technology and commercialbest practices while meeting the regulatory, legal, security, and other operational requirementsinherent to the FAA’s mission.The cloud messaging service must meet the minimum required features and functions and providethe services indicated within the base period of the contract, as indicated on Attachment J-5.7 SECURITY AND PRIVACYThe cloud service provider must meet all specified system security requirements and implementsafeguards so that the security objectives of confidentiality, integrity, and availability are satisfied inall aspects of the cloud messaging service during implementation and service delivery. The cloudservice provider must comply with the requirements of the Federal Information SecurityManagement Act (FISMA) and National Institute of Standards & National Institute of Standardsand Technology (NIST) standards for Moderate Impact systems. Within 24 hours of request, thecloud service provider must supply FAA’s Cyber Security Management Center (CSMC) with logsto investigate potential security events. The cloud service provider must comply with ISO27001/27002 and possess a current ISO 27001 certification issued to the provider by a certifiedthird party or a Federal Agency Authority to Operate (ATO) issued to the provider within threeyears of proposal date submission.The FAA is currently aligning its cloud security strategy with the guidelines set forth in the“Proposed Security Assessment & Authorization for U.S. Government Cloud Computing,”published by the U.S. Chief Information Officer on November 2, 2010. The guidance specifies thejoint security assessment, authorizations, and continuous monitoring requirements of cloudcomputing services for all Federal agencies. It describes the Government-wide Federal Risk andAuthorization Management Program (Fed RAMP) for the assessment of security controls to verifythat the appropriate controls are in place for cloud-based services. It is expected that the cloudservice provider will use the assessment and authorization process currently specified in Section3.4.2 of the Fed RAMP document for the authorization of their cloud-based service offering (seewww.cio.gov for more details on the Fed RAMP assessment and authorization process). The cloudservice provider must authorize the use of third parties to assess security controls of their cloudofferings.To the extent required to carry out a program of inspection to safeguard against threats and hazardsto the security, integrity, and confidentiality of any Government data collected and stored by theSIR # Presolicitation Draft Page SOO-4

STATEMENT OF OBJECTIVEScloud service provider, the cloud service provider must provide the Government access to itsfacilities, installations, technical capabilities, operations, documentation, records, and databases.If new or unanticipated threats or hazards are discovered by either the Government or the cloudservice provider, or if existing safeguards have ceased to function, the discoverer must immediatelybring the situation to the attention of the other party.As set forth in the contract, the cloud service provider will be required to deliver specificdocumentation related to security and privacy. Such deliverables may include the following, asapplicable:Privacy Impact Assessment (PIA)Fed RAMP Test Procedures and ResultsSecurity Assessment Report (SAR)System Security Plan (SSP)In addition to the above, the cloud service provider must meet the following security relatedrequirements:Retain messages identified as “SPAM” or “Junk Mail” for a period of at least 14 days, for auser to review, and optionally identify as not junk mail to affect filters for futuretransmission by at least sender email address, and sender domain nameProvide message security and threat filtering capability and support third party messagethreat filtering which includes but is not limited to inbound and outbound Spam, Antiphishing,and VirusProvide for all traffic, including web access and synchronization, to be over a SecureSockets Layer (SSL)/Transport Layer Security (TLS) session in compliance with FIPS 140(current version), as amended, encryptionUpgrade to any new Federal data encryption standard that replaces Federal InformationProcessing Standard (FIPS) 140-2 within six months of publication of the final version ofthe new encryption standardUpgrade to any new Federal data encryption standard that replaces FIPS 197 within sixmonths of publication of the final version of the new encryption standard by NISTSupport S/MIME v3 and later functions (encryption and digital signature) for both messagesand calendar invites/repliesSupport multi-factor authentication including support for Public Key Infrastructure (PKI)certificates from FAA’s Personal Identity Verification (PIV) access cardUtilize best-practice features for message security, such as spam filtering, anti-virus/antimalwareprotection, Anti-phishing, screening outbound messages, etc.)All messaging data (email text, file attachments, contact information, calendar contents, emailsmeta-data, instant messages, to do/task list contents, directory information, and any other FAASIR # Presolicitation Draft Page SOO-5

STATEMENT OF OBJECTIVESmessaging information stored in the cloud service provider devices) is and must remain the propertyof the Government. The cloud service provider must give the Government access to the data andthe capability to download the data in a specified format for research, investigation, transfer, ormigration to other systems.All data at rest must remain in the United States. "Data at rest” is defined for this acquisition as alldata stored in the cloud service provider devices, excluding data that frequently traverses thenetwork or that which resides in temporary memory or authorized user devices. Data at restincludes all email text, file attachments, contact information, calendar contents, email meta-data,instant messages, to do/task list contents, directory information, and any other FAA messaginginformation stored in the cloud service provider devices. Data at rest must be encrypted using anappropriate algorithm in accordance with FIPS 197.The cloud service provider must ensure the separation of FAA data from other cloud serviceprovider customer data and prevent access to FAA data by other customers of the cloud serviceprovider.8 TRANSITION AND IMPLEMENTATIONThe Contractor must provide all service necessary to fully transition, implement, and operate thecloud messaging service across the FAA enterprise. The Contractor must successfully migrate allmessaging data (email text, file attachments, contact information, calendar contents, emails metadata,instant messages, to do/task list contents, directory information, and any other FAA messaginginformation) from personal active (Lotus Notes .nsf) to the cloud messaging service and integratethe cloud messaging service with the FAA’s Blackberry Enterprise Server and other storagedevices.The Contractor must carry out transition activities and implement the cloud messaging serviceaccording to a Transition and Implementation Plan delivered and approved by the FAA. TheTransition and Implementation Plan must identify the transition approach, schedule, implementationactivities, and risk areas that need to be mitigated for a successful transition.The Contractor’s transition approach must include:Full implementation within 12 months of contract awardData migration planned and executed in a manner which meets program objectives,requirements, and mitigates riskCustomer engagement and user communications approach that facilitates a smooth andinformed transitionUser training to facilitate service acceptance and use.8.1 Project CommunicationsThe Contractor must provide timely, effective, and accurate communications prior to, during, andafter implementation of the cloud messaging service to ensure user buy-in, maintain FAA’sSIR # Presolicitation Draft Page SOO-6

STATEMENT OF OBJECTIVESleadership informed of upcoming and past implementation activities, and to help resolve problems.These activities will be described in a Communications Plan provided by the Contractor andapproved by FAA. At a minimum, the plan must identify the stakeholders and their roles, theproject goals, and methods, frequency, and types of communications to be used.8.2 TrainingThe Contractor must provide training for the FAA cloud messaging service users, Governmentdesignated System Administrators, and operations and maintenance personnel. The training will beconducted according to a Training Plan provided by the Contractor and approved by FAA. TheTraining Plan must describe the training modes and instruction media, detail how and when thetraining will be accomplished, what training materials will be provided, and any necessary prerequisiteto taking training.The Contractor must: Prepare and provide all the course materials, lesson plans, demonstration, and test equipmentnecessary to teach the course Conduct training within FAA facilities, unless otherwise specified by the FAA Verify the results of training with a suitable test/examination at the completion of eachtraining course, and provide certification to all FAA personnel who pass the course Grant FAA a license use of all documentation developed for the course, and the Contractormust supply an editable copy of all training course material for the FAA to reproduce asnecessary Provide, in addition to other formats, on-line training via a standard web browser toaccommodate a variety of audiences who are geographically dispersed.9 ADDITIONAL FEATURES, FUNCTIONS AND CAPABILITIESA key objective of the FAA is to maximize the benefits of cloud computing by procuring a cloudmessaging service that is scalable and capable of supporting and interfacing with other existing orfuture systems, whether acquired separately by the FAA or as part of this acquisition. The FAAmay find it cost effective to acquire certain additional cloud services as part of the cloud messagingservice. Offerors are encouraged to include other offerings and innovations that directly support theobjectives in this SOO.Additional features may include:Extended offerings related to unified communications (if so, describe what capabilities areoffered that might work in conjunction with or replace services such as Cisco MeetingPlace7.0, Cisco Unified Presence Server 7.0.6, Cisco IP Communicator 7.0.3, Cisco UnifiedPersonal Communicator 7.0.2, and Cisco Unified Communications manager 7.1.3.Support for published API that connects the cloud messaging service to the VTC schedulingserver (describe what VTC or other web conferencing capabilities might be offered).Cloud messaging service allowing users to share individual Contact or enter Contact listwith other users.SIR # Presolicitation Draft Page SOO-7

STATEMENT OF OBJECTIVESCloud messaging service allowing users designated as distribution list owners to manage theemail addresses in the distribution list.Allow users the following capabilities from laptops, desktops, and mobile devices:o Secure instant messaging communicationso An online-presence indicator, and/or status message capabilityo The ability to send, accept, and reject file attachmentsAll the security, privacy, and training requirements described for the cloud messaging service,apply as appropriate to these additional features and other offerings.10 PROJECT MANAGEMENT AND OPERATIONAL SERVICES10.1 Project Management ServicesThe Contractor must provide sufficient project management support to ensure a successfultransition to the cloud messaging service and ongoing support operations. The Contractor mustmanage their performance to ensure compliance with all requirements of the SOO. The Contractormust assign a Project Manager who will ensure the Contractor’s performance complies with allrequirements and be the primary point of contact for the work to be performed. The ProgramManager must have sufficient corporate authority to direct, execute, and control all elements of theprogram and ensure that all necessary management, business, contracts, engineering,implementation, and maintenance resources are available and sufficient, both in numbers andqualifications, to successfully perform all the tasks required. The designated Project Manager willbe subject to the Key Personnel provisions of the contract. The Contractor must describe theirmanagement approach to accomplish the required work efforts in a Project Management Plan(PMP).The Contractor must continuously monitor the performance of this contract, and of all subcontracts,to provide the Government with a timely assessment of program progress , risk, issues, andproblems. The Contractor must work with the FAA to foster an environment of open and proactivecommunication to ensure achievement of an acceptable performance level, ensure continuity ofperformance outcomes, and promote quality performance.The Contractor must follow ITIL best practices and have ISO 20001, ISO 9001, and/or CapabilityMaturity Model Integration (CMMI) Services certification.The Contractor must deliver formal reports and informal work products as specified in the contract,to include the following formal project reports: Transition and Implementation Plan Project Management Plan Operations and Maintenance Plan Data Migration and Cutover Plan Technical Design / Interface Architecture diagrams Monthly Project Status Reports, including SLA reportingSIR # Presolicitation Draft Page SOO-8

Communications PlanTraining PlanSTATEMENT OF OBJECTIVES10.2 Operations & Maintenance (O&M) ServicesThe Contractor must provide any operations and maintenance (O&M) support services necessary tosupport and fully sustain operations of the cloud messaging service at the agreed-upon servicelevels throughout the performance period. The Contractor must manage its cloud serviceinfrastructure, which may include network, storage, server, virtualization, operating system,platform and/middleware, or application software, and other related services. Other O&M servicesprovided must include, as a minimum, prescheduled maintenance and configuration management.10.3 Tier 3 Help Desk Support ServicesThe Contractor must provide 24/7 Tier 3 Help Desk services and technical support, includingsupport during system maintenance periods, to Government designated System Administrators toresolve any issues pertaining to the cloud messaging service. Support is expected to be provided viatelephone and email communications. The Tier 3 Help Desk must meet response and resolutiontime frames, as indicated on the contract. This Tier 3 Help Desk service must be fully capable ofresponding to all escalated service requests. Service requests (tickets) may be sent from FAA Tier 2Help Desks to the Contractor’s Tier 3 Help Desk whenever necessary.The Contractor must be able to send and receive tickets and ticket status information to the singleHelp Desk organization. The Contractor must provide Government designated SystemAdministrators access to a web based trouble ticketing system, supported by API that is available toreport, update, and check status of service incidents.10.4 Service Level Agreements (SLA’s)The contract will incorporate Service Level Agreements (SLAs) that have been agreed-uponbetween the Contractor and the FAA and cannot be changed except by mutual agreement. TheSLAs shall include metrics related to resolving issues with service and clearly define theContractor’s escalation policy and procedures. The Contractor’s SLAs must include a creditstructure which includes escalation of the credits to the FAA for systemic and endemic failures toprovide the level of service proposed. Further, the SLAs shall clearly define how metrics andmeasures are calculated.The Contractor’s SLAs must be based upon objective criteria that demonstrate the Contractor’sorganization commitment to the success of the FAA’s program objectives and the extent andcompleteness to which the SLAs define a basis for guaranteed performance and its availability(expressed as a ratio of activity time to measurement time). A minimal set of SLAs must include: Resource utilization statistics Performance relative to Recovery Point and Recovery Time Objectives (RTP/RTO)SIR # Presolicitation Draft Page SOO-9

STATEMENT OF OBJECTIVESTrouble Ticket / Help Desk Maximum and Average Response TimeMinimum Session Connection Speed (measured at the Service Provider’s Internet POP)Notifications of security breaches, compromises of data, and corruption of data, whichclearly define who is responsible to provide the remedy to the impacted accounts whereindividual Personally Identifiable Information (PII) is exposed.All SLAs must include the information shown in the following table:PWS SectionApplicable ServicesPerformance MeasurePerformance Measure DefinitionAcceptable Performance Level(APL)Evaluation FrequencyData SourceSurveillance MethodCreditsIndicates the corresponding PWS sectionIndicates the services to be evaluated using the statedperformance measure.Indicates the outcome by which the agency will monitorcontractor performance.Provides a description and context for which the performancemeasure will be calculated.Agreed upon performance level that is acceptable to theGovernment for a given performance measure.Indicates standard period when performance will beevaluated adjustable at the discretion of the FAA.Indicates the primary source of information that will be usedto evaluate performance.Indicates the primary technique for monitoring andevaluating performance.Indicate the amount to be credited to the FAA for failure tomeet the specified level of performanceThe FAA is looking for a mutually beneficial approach to effectively monitor the serviceperformance that provides daily insight into the performance of the cloud messaging service whilereducing managerial burden to both the Contractor and the FAA. The desired approach wouldprovide an automated system that clearly identifies, in real time, the cloud messaging serviceconfiguration and performance, and status of remediation activities.The Contractor must:Effectively report all data as agreed upon in SLAsProvide notification to the FAA within 30 minutes of an event which is expected to incurany data loss or compromiseWithin a month of any outage resulting in greater than one hour of unscheduled downtime, submit areport including a description of the event and its root-cause and fix.11 TECHNICAL INTEGRATION AND OTHER TASK SUPPORT SERVICESSIR # Presolicitation Draft Page SOO-10

STATEMENT OF OBJECTIVESAs ordered by Task Order, the Contractor must provide additional capabilities, integration services,and other technical support in these areas:Additional cloud computing servicesSystems/software integration support to include planning, updating architecture models,interoperability specifications and analysis, system interface specifications, servicedefinitions, and segmented architecture for the transition, integration, and implementation ofsystems. Integration may include incorporation of software or services purchased directlyby the FAAParticipation in technical reviews, applicability studies and analysis of common software,and in the decommissioning of current systemsAssist in technical evaluations, analyses and recommendations of potential improvementsand technology insertions. Additional project support services, to include training andcommunications development and delivery. These services may include additionalsystem/software engineering, organizational change management, training, otherengineering specialties, and the utilization of subject matter experts.SIR # Presolicitation Draft Page SOO-11

STATEMENT OF OBJECTIVES12 REFERENCED DOCUMENTSFAA DocumentsFAA Order 1600.75, Protecting Sensitive Unclassified Information, February 2005FAA Order 1280.1B, Protecting Personally Identifiable Information, December 2008FAA Order 1350, Records Organization, Transfer, and Destruction of Records, August 2001Regulations, Policy Guidance, and Industry StandardsDoD STD-5015.2 V3 (ref. b), Electronic Records Management Software Applications DesignCriteria StandardFederal Information Security Management Act of 2002 (Public Law 107-347)Federal Rules of Civil Procedure (Electronic Discovery), December 2006Freedom of Information Act of 1974 (Public Law 89-554, 80 Stat. 383; Amended 1996, 2002,2007)Information Technology Reform Act of 1996 (Public Law 104-106)Internet Engineering Task Force (IETF) Standards Track 4408, 4510, 5321, and 5322ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information securitymanagement systems – Requirements, October 2005ISO/IEC 27002:2005 Information technology — Security techniques — Code of practice forinformation security managementNARA Bulletin 2008-05, Guidance Concerning the Use of E-mail Archiving Solutions to Store E-mail, July 31, 2008NARA Bulletin 2010-05, Guidance on Managing Records in a Cloud Computing Environment,September 8, 2010NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, September2011NIST Special Publication 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy,September 2009NIST Special Publication 800-53, Revision 3, Recommended Security Controls for FederalInformation Systems and Organizations, May 1, 2010SIR # Presolicitation Draft Page SOO-12

STATEMENT OF OBJECTIVESNIST Special Publication 800-63, Electronic Authentication Guideline, April 2006NIST Special Publication 800-125, Guide to Security for Full Virtualization Technologies, January2011NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing(DRAFT), January 2011NIST Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011NIST Special Publication 800-146, NIST Cloud Computing Synopsis and Recommendations, May2011NIST Federal Information Processing Standards (FIPS) 140-2 Encryption Standards SecurityRequirements for Cryptographic Modules, December 2002NIST Federal Information Processing Standards (FIPS) 197 Advanced Encryption Standard (AES),November 26, 2001NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorizationof Federal Information and Information Systems, February 2004NIST Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements forFederal Information and Information Systems, March 2006Office of Management and Budget, U.S. Chief Information Officer, Federal Cloud computingStrategy, February 8, 2011Privacy Act of 1974 (Public Law 93-579)Proposed Security Assessment & Authorization for U.S. Government Cloud Computing, November2, 2010Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d)Availability of DocumentsFAA DocumentsCopies of FAA specifications, standards, and publications may be obtained from theContracting Officer noted in Section G. Requests should clearly identify the desiredmaterial by name and number (when applicable) and state the intended use of the material.Requested copies will be provided in digital format.Federal DocumentsSIR # Presolicitation Draft Page SOO-13

STATEMENT OF OBJECTIVESCopies of federal publications may be obtained from the U.S. Government Printing Office,710 North Capitol Street, Washington DC, 20401, by calling (202) 512-0132, or through theweb site http://bookstore.gpo.gov/.National Institute of Standards and Technology (NIST) DocumentsCopies of National Institute of Standards and Technology documents may be obtainedthrough the web site http://csrc.nist.gov/publications/PubsSPs.html.American National Standards Institute (ANSI) DocumentsInternational Electrochemical Commission (IEC) DocumentsInternational Organization for Standardization (ISO)Copies of ANSI. ISO, and IEC documents may be obtained through the web sitehttp://webstore.ansi.org/.SIR # Presolicitation Draft Page SOO-14