Inactive Total Small Business Set-Aside (FAR 19.5)

Additional Question added: Question: Could you please clarify specifically what offerors are submitting in regards to the Draft Security Plan? We note the response to the question in row 29 – ‘Yes. In... Additional Question added: Question: Could you please clarify specifically what offerors are submitting in regards to the Draft Security Plan? We note the response to the question in row 29 – ‘Yes. Include in Volume IV. Your draft security plan is in response to the Requirements traceability matrix.’ Should offerors respond to each requirement/control on Attachment C (i.e., respond to all 1,852 rows in columns L-O)? Or is this more of an overview of each control/control family and how it relates to the proposed solution? Response: The draft security plan is required to be submitted, however, the solicitation does not state it will evaluate the plan itself. If awarded, the submitted draft security plan will become a tool to assist in ensuring the vendor meets the security requirements. Two questions and responses provided: Question One: I am still unclear on one question our company asked, which can be found below: Original Question: What kind of documentation is needed to prove we have the Authority to Operate (ATO)? Would a SOC 2 certification or a Pen test be taken? If not, how would we go about getting the proper documentation for an ATO document? Original Response: The Solicitation states a provisionary authority to operate is allowable. Clause "Safeguarding of Sensitive Information" has the ATO and Complete the "Security Authorization process" We do not have an ATO in place or a P-ATO in place. We have both a Soc 2 certification and Pen test which are third-party certifications/validations. Response: The Coast Guard is required to meet Department of Defense (DOD) / Defense Information Systems Agency (DISA) security requirements, therefore, an ATO is required. An ATO may take up to a year to acquire after contract award. We require the solution right away, therefore, a provisionary authority to operate is acceptable and will enable work to proceed while the awardee acquires their ATO (if they do not already have an ATO). Question Two: Can we submit our ATO letter as a separate file or must it be included in the Technical Volume? Response: Yes, that is acceptable. Just name the file so that we know it is the ATO and part of the Technical file This is a Combined Synopsis/Solicitation for a Platform as a Service (PaaS) admissions technology for the U.S. Coast Guard Academy (USCGA) Admission's Division to store student, volunteer, educator and high school data; assess outcomes; and deliver the technology needed to carry out marketing, communication, recruiting, selection, and enrollment processes.