Inactive Service-Disabled Veteran-Owned Small Business (SDVOSB) Set-Aside (FAR 19.14)

This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Federal Acquisition Regulation (FAR) Subpart 12.6, as supplemented with additional information i... This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Federal Acquisition Regulation (FAR) Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotations are being requested and a written solicitation will not be issued. Solicitation No. 6913G619Q300162 is issued as a Request for Quotation (RFQ). This solicitation is being conducted in accordance with the policies and procedures prescribed in FAR Part 12, Acquisition of Commercial Items and FAR Part 13, Simplified Acquisition Procedures. The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2019-02, effective May 6, 2019. The NAICS Code is 541199 and the Small Business size standard is $11 million dollars. This procurement is a 100% service disabled veteran-owned small business set-aside. The U.S. Department of Transportation, John A. Volpe National Transportation Systems Center (Volpe Center), Cambridge, MA, Office of Legal Services or "OLS" has a requirement for an Acquisitions/Legal Subject Matter Expert ("SME") with in-depth knowledge of Federal acquisitions laws and procedures, Department of Transportation regulations and procedures (including the Transportation Acquisition Regulations and Manual, and Volpe-specific policies and procedures) to help it meet the legal needs of the Office of Acquisitions while the federal attorney is out on leave. This SME must be an attorney in good standing in a U.S. state or Federal jurisdiction. The SME will be expected to work and estimated 12 hours per week. The contractor is required to provide all requested specifications and deliver services in accordance with the Statement of Work (SOW) and Quality Assurance Surveillance Plan (QASP) attached. REQUIREMENTS/SPECIFICATIONS The Government intends to award a firm fixed price purchase order as a result of this Combined Synopsis/Solicitation. This notice is expected to result in a single award, subject to receipt of an acceptable proposal. The Offeror's proposal shall be prepared in accordance with attached Instructions, Conditions, and Notice to Offerors and below: CLINS 00300 - 00500. CLIN 00300 - Legal Subject Matter Expert Services in Acquisitions 192 Hours X $_____________________ per hour = $______________________ CLIN 00400 - Travel (Not to Exceed Amount $223.00) $ __________________ ____________ Optional CLIN 00500 - Legal Subject Matter Expert Services in Acquisitions 96 Hours X $______________________ per hour = $______________________ TOTAL for CLINs 00300 and 00500: $______________________ NOTICE TO OFFERORS FAR 52.212-1, Instructions to Offerors-Commercial Items applies to this acquisition and is incorporated by reference. All Offerors must include a completed copy of the provision at FAR 52.212-3, Offeror Representations and Certification-Commercial Items (the complete provision is provided in Attachment 2). An Offeror shall complete only paragraph (b) of this provision if the Offeror has completed the annual representations and certifications electronically using the System for Award Management (SAM) accessible via http://www.Sam.gov. If the Offeror has not completed the annual representations and certifications electronically in SAM, the Offeror shall complete only paragraphs (c) through (o) of this provision. All Contractors must be registered in SAM in order to receive an award from a DOT Agency. The Government intends to award one (1) purchase order on a firm-fixed price basis as a result of this solicitation. This RFQ is expected to result in a single purchase order award, subject to receipt of an acceptable proposal. FAR Clauses and Provisions 52.212-4, Contract Terms and Conditions-Commercial Items, 52.212-5, Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items, 52.232-40, Providing Accelerated Payments to Small Business Subcontractors are hereby incorporated by reference. Additional clauses cited in 52.212-5 that apply to this acquisition are: 52.209.6, 52.219-27, 52.222-3, 52.222-19, 52.222-21, 52.222-26, 52.222-35, 52.222-36, 52.222-37, 52.222-50, 52.223-18 and 52.232-33. The FAR provisions and clauses cited in this notice can be viewed at http://www.acquisition.gov/far. This combined synopsis/solicitation hereby incorporates all Federal Acquisition Regulation (FAR) provisions and clauses contained herein. The offer should be addressed to the following: U.S. Department of Transportation, Volpe National Transportation Systems Center, Attn: Christine Guy, V222, 55 Broadway, Cambridge, MA 02142. The signed offer must be submitted via e-mail to Christine.guy@dot.gov by closing date of July 12, 2019 at 3:00 p.m. ET. No telephone requests will be honored. The Government will not pay for any information received. It is anticipated that an award resulting from this combined synopsis/solicitation will be made on or about August 1, 2019. The following FAR provision is incorporated by full text: FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (JUN 2016) (a) Definitions. As used in this clause- "Covered contractor information system" means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. "Federal contract information" means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. "Information" means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). "Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502). "Safeguarding" means measures or controls that are prescribed to protect information systems. (b) Safeguarding requirements and procedures. (1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls: (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, processes acting on behalf of users, or devices. (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. (x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (xii) Identify, report, and correct information and information system flaws in a timely manner. (xiii) Provide protection from malicious code at appropriate locations within organizational information systems. (xiv) Update malicious code protection mechanisms when new releases are available. (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. (2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. U.S. DEPARTMENT OF TRANSPORTATION (DOT) CONTRACTOR PERSONNEL SECURITY AND AGENCY ACCESS (NOV 2011) The following definitions are provided: "Agency Access" means access to DOT facilities, sensitive information, information systems or other DOT resources. "Applicant" is a Contractor employee for whom the Contractor submits an application for a DOT identification card. "Contractor Employee" means prime Contractor and subcontractor employees who require agency access to perform work under a DOT contract. "Identification Card" (or "ID card") means a government issued or accepted identification card such as a Personal Identity Verification (PIV) card, a PIV-Interoperable (PIV-I) card from an authorized PIV-I issuer, or a non-PIV card issued by DOT, or a nonPIV card issued by another Federal agency and approved by DOT. PIV and PIV-I cards have physical and electronic attributes that other (non-PIV) ID cards do not have. "Issuing Office" means the DOT entity that issues identification cards to Contractor employees. "Local Security Servicing Organization" means the DOT entity that provides security services to the DOT organization sponsoring the contract. 1. Risk and Sensitivity Level Designations - For contracts requiring access to DOT facilities, sensitive information, information systems or other DOT resources, the Contractor employees will be required to complete background investigations, identity proofing, and government identification card application procedures to determine suitability for access. DOT will assign a risk and sensitivity level designation to the overall contract and/or to Contractor employee positions by category, group or individual. The risk and sensitivity level designations will be the basis for determining the level of personnel security processing required for Contractor employees. IF THE DESIGNATED RISK IS: THE BACKGROUND INVESTIGATION IS: Low National Agency Check with Written Inquiries (NACI) Moderate Minimum Background Investigation (MBI) High Background Investigation (BI) Contractor employees may also be required to obtain security clearances (i.e., Confidential, Secret, or Top Secret). National Security work designated "special sensitive," "critical sensitive," or "non-critical sensitive" will determine the level of clearance required for Contractor employees. Personnel security clearances for national security contracts within the U.S. DOT will be processed according to the Department of Defense National Industrial Security Program Operating Manual (NISPOM). 2. Pre-screening of Contractor Employees - The Contractor must pre-screen individuals designated for employment under any DOT contract by verifying minimal suitability requirements to ensure that only quality candidates are considered for contract employment, and to mitigate the burden on the Government of conducting background investigations on objectionable applicants. The Contractor must exercise due diligence in pre-screening all employees prior to submission to DOT for agency access. DOT may decline to grant agency access to a Contractor employee for reasons including, but not limited to: a) Conviction of a felony, a crime of violence, or a misdemeanor involving moral turpitude. b) Falsification of information entered on forms or of other documents submitted. c) Improper conduct including criminal, infamous, dishonest, immoral, or notoriously disgraceful conduct or other conduct adverse to the Government regardless of whether the conduct is directly related to the contract. d) Any behavior judged to pose a potential threat to DOT facilities, sensitive information, information systems or other resources. 3. Citizenship and Alien Status - The Contractor must monitor an alien's continued authorization for employment in the United States. The Contractor must provide documentation to the Contracting Officer or the Contracting Officer's Technical Representative during the background investigation process that validates that the E-Verify requirement has been met for each Contractor employee. 4. Background Investigation and Adjudication - The Contractor employee must have a favorable adjudication of background investigation before DOT will issue an ID card to the Contractor employee granting access to DOT facilities, sensitive information, information systems or other DOT resources. DOT may accept favorable adjudications of background investigations from other Federal agencies when applicants have held PIV cards issued by those agencies with no break in service. DOT may also accept PIV-I (interoperable) cards issued by an authorized PIV-I issuer as evidence of identity. A favorable adjudication does not preclude DOT from initiating a new investigation when deemed necessary. At a minimum, the FBI National Criminal History Check (fingerprint check) must be favorably completed before a DOT identification card can be issued. Each Contractor must use the Office of Personnel Management's (OPM) e-QIP system to complete any required investigative forms. Instructions for obtaining fingerprints will be provided by the COTR or CO. The DOT Office of Security, M-40, or a DOT organization delegated authority by M-40, is responsible for adjudicating the suitability of Contractor employees. 5. Agency Access Denied - Upon contract award, DOT will initiate the agency access procedure for all Contractor employees requiring access to DOT facilities, sensitive information, information systems and other DOT resources for contract performance. DOT may deny agency access to any individual about whom an adverse suitability determination is made. Failure to submit the required security information or to truthfully answer all questions shall constitute grounds for denial of access. The Contractor must not provide agency access to Contractor employees until the COTR or CO provides notice of approval, which is authorized only by the DOT Office of Security (M-40) or a DOT organization delegated authority by M-40. Where a proposed Contractor's employees are denied agency access by the Government or, if for any reason proposed applications are withdrawn by the Contractor during the agency access process, the additional costs and administrative burden for conducting additional background investigations caused by a lack of effective pre screening or planning on the part of the Contractor may be considered as part of the Contractor's overall performance evaluation. 6. Identification Card Application Process - The COTR will be the DOT ID card Sponsor and point of contact for the Contractor's application for a DOT ID card. The COTR shall review and approve the DOT ID card application before an ID card is issued to the applicant. An applicant may be issued either a Personal Identity Verification (PIV) card that meets the standards of Homeland Presidential Security Directive (HSPD-12), or an applicant may be issued a non-PIV card. Generally, a non-PIV card will be issued for contracts that expire in six months or less, including option periods. The COTR may request the issuing office to waive the six month eligibility requirement when it is in DOT's interest for contract performance. The applicant must complete a DOT on-line application for a PIV card. For a non-PIV card, the applicant must complete and submit a hard copy of Form 1681to the COTR/Sponsor. Regardless of the type of card to be issued (PIV or non-PIV), the applicant must appear in person to provide two forms of identity source documents in original form to DOT. The identity source documents must come from the list of acceptable documents included in Form I-9, OMB No. 1115-0136, Employment Eligibility Verification. At least one document must be a valid State or Federal government-issued picture identification. For a PIV card, the applicant may be required to appear in-person a second time for enrollment and activation. 7. Identification Card Custody and Control- The Contractor is responsible for the custody and control of all forms of government identification issued by DOT to Contractor employees for access to DOT facilities, sensitive information, information systems and other DOT resources. The Contractor must immediately notify the COTR or, if the COTR is unavailable, the CO when a Contractor employee no longer requires agency access due to transfer, completion of a project, retirement, removal from work on the contract, or termination of employment. The Contractor is responsible for maintaining and safeguarding the DOT ID card upon issuance to the Contractor employee. The Contractor must ensure that Contractor employees comply with DOT requirements concerning the renewal, loss, theft, or damage of an ID card. The Contractor must immediately notify the COTR or, if the COTR is unavailable, the CO when an ID card is lost, stolen or damaged. Failure to comply with the requirements for custody and control of DOT ID cards may result in withholding final payment or contract termination based on the potential for serious harm caused by inappropriate access to DOT facilities, sensitive information, information systems or other DOT resources. a) Renewal: A Contractor employee's DOT issued ID card is valid for a maximum of three years or until the contract expiration date (including option periods), whichever occurs first. The renewal process should begin six weeks before the PIV card expiration date. If a PIV card is not renewed before it expires, the Contractor employee will be required to sign-in daily for facility access and may have limited access to information systems and other resources. b) Lost/Stolen: Immediately upon detection, the Contractor or Contractor employee must report a lost or stolen DOT ID card to the COTR, or if the COTR is unavailable, the CO, the issuing office, or the local servicing security organization. The Contractor must submit an incident report within 48 hours, through the COTR or, if the COTR is unavailable, the CO, the issuing office, or the local security servicing organization describing the circumstances of the loss or theft. The Contractor must also report a lost or stolen PIV card through the DOT on-line registration system. If the loss or theft is reported by the Contractor to the local police, a copy of the police report must be provided to the COTR or CO. From the date of notification to DOT, the Contractor must wait three days before getting a replacement ID card. During the 3- day wait period, the Contractor employee must sign in daily for facility access. c) Replacement: An ID card will be replaced if it is damaged, contains incorrect data, or is lost or stolen for more than 3 days, provided there is a continuing need for agency access to perform work under the contract. 8. Surrender of ID Cards - Upon notification that routine access to DOT facilities, sensitive information, information systems or other DOT resources is no longer required, the Contractor must surrender the DOT issued ID card to the COTR, or if the COTR is unavailable, the CO, the issuing office, or the local security servicing organization in accordance with agency procedures. 9. Use of This Clause - The Contractor is required to include these clauses in any subcontracts that require the subcontractor or subcontractor's employees to have access to DOT facilities, sensitive information, information systems or other resources. 1252.239-70 CYBERSECURITY REQUIREMENTS FOR UNCLASSIFIED AND SENSITIVE INFORMATION TECHNOLOGY (IT) RESOURCES (JUNE 2012) (a) Required Policies and Regulations - Compliance with applicable Federal statutes, policies, standards, and guidelines is the responsibility of the Federal government and may not be abdicated to the Contractor. To achieve such compliance, the government requires the Contractor to conform to all U. S. Department of Transportation (DOT) and applicable Federal IT Security statutes, policies, standards, and reporting requirements, including, but not limited to: (1) Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C § 3541 et seq. (2) Clinger-Cohen Act of 1996 also known as the "Information Technology Management Reform Act of 1996," 40 U.S.C § 1401 et seq. (3) Privacy Act of 1974, 5 U.S.C. § 552a, as amended. (4) Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," and Appendix III, "Security of Federal Automated Information Systems," as amended. (5) OMB Memorandum M-04-04, "E-Authentication Guidance for Federal Agencies." (6) Homeland Security Presidential Directive (HSPD-12), "Policy for a Common Identification Standard for Federal Employees and Contractors," August 27, 2004. (7) DOT Order 1351.37, "Departmental Cybersecurity Policy." (8) DOT Departmental Cybersecurity Compendium "Supplement to DOT Order 1351.37: Departmental Cybersecurity Policy." (9) DOT Order 1681.1, "Department of Transportation (DOT) Implementation Policy for Identity, Credential, and Access Management (lCAM) and Homeland Security Presidential Directive - 12 (HSPD-12)." (10) National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication (PUB) 140, "Security Requirements for Cryptographic Modules." (11) NIST FIPS PUB 199, "Standards for Security Categorization of Federal Information and Information Systems." (12) NIST FIPS PUB 200, "Minimum Security Requirements for Federal Information and Information Systems." (13) NIST FIPS PUB 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors" and all related NIST Special Publications. (14) NIST Special Publication 800-18, "Guide for Developing Security Plans for Federal Information Systems." (15) NIST Special Publication 800-30, "Risk Management Guide for Information Technology Security Risk Assessment Procedures for Information Technology Systems." (16) NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems." (17) NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems." (18) NIST Special Publication 800-47, "Security Guide for Interconnecting Information Technology Systems." (19) NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." (20) NIST Special Publication 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems." (21) NIST Special Publication 800-63, "Electronic Authentication Guidance." (b) Applicability - The Contractor shall be responsible for Information Technology security for all systems connected to a DOT network operated by the Contractor for DOT, or for Contractor Systems that contains DOT information regardless of location. The term Information Technology, as used in this clause, means any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For purposes of this definition, equipment is used by DOT whether DOT uses the equipment directly or it is used by a contractor under a contract with the agency which (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information Technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a Federal contractor incidental to a Federal contract. (c) Security Categorization - In accordance with FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems," DOT has determined that the security category of the information or information system under this contract is Confidentiality [Indicate LOW, MODERATE, or HIGH)], Integrity [Indicate LOW, MODERATE, or HIGH)], Availability [Indicate LOW, MODERATE, or HIGH)] with an overall security impact level of [Indicate LOW, MODERATE, or HIGH)]. (d) Baseline Security Controls and System Security Plan - The Contractor shall develop and maintain the System Security Plan and associated Baseline Security Controls for the system as defined in the DOT Departmental Cybersecurity Compendium. To aid DOT senior officials and Contractors in determining applicable security controls, the Departmental Cybersecurity Compendium assigns security requirements (also referred to as controls and policy) to the DOT Component and Information System levels. The Contractor is responsible for all "System-level" security requirements in accordance with the FIPS PUB 199 Categorization approved for the system unless otherwise indicated in the Statement of Work or Performance Work Statement. The Contractor shall follow DOT policy and guidance specified in DOT Order 1357.31 and the Departmental Cybersecurity Compendium to appropriately tailor the set of baseline security controls and define the implementation owner of each control. The Contractor shall obtain the written approval of the System Security Plan and corresponding Baseline Security Controls from the DOT Authorizing Official or his/her designee. (e) Information System Contingency Plan (ISCP) and Testing -- The Contractor shall develop and maintain the ISCP for the system as defined in the DOT Departmental Cybersecurity Compendium. The Contractor shall regularly test the ISCP and document test results in accordance with the DOT Departmental Cybersecurity Compendium. (f) Security Assessment and Authorization - All applicable Contractor systems/applications must support risk management processes, and produce and maintain the documents and artifacts as specified in the DOT Departmental Cybersecurity Policy and the DOT Departmental Cybersecurity Compendium. The Contractor shall prepare and submit the required documents as specified in the Deliverables section of the contract. For systems categorized as High or Moderate security impact per FIPS PUB 199, the Contractor must obtain a qualified independent Security Control Assessor and obtain the approval of this assessor from the DOT Authorizing Official. The Contractor may not begin the processing of DOT information, interconnecting with DOT networks or systems, or any other production operation of the system until the DOT Authorizing Official grants security authorization in accordance with DOT policy and procedures specified in the Departmental Cybersecurity Policy and Compendium. (g) Continuous Monitoring - Upon attainment of security authorization from the DOT Authorizing Official, the Contractor must implement and perform continuous monitoring of the security state and controls of the information system as specified in the Departmental Cybersecurity Policy and Compendium producing the specified reports and other artifacts to demonstrate ongoing risk management. (h) Contract Compliance - Upon approval by DOT, the Systems Security Plan, FIPS 199 Categorization, Contingency Plan, Security Assessment Report, Security Authorization, Plan of Action and Milestones (including any required updates), and other documents that are required based on the type of information system in accordance with the Departmental Cybersecurity Policy and Compendium, shall be incorporated into the contract file as compliance documents. (i) Availability of Data, Documents and Access - (1) The Contractor shall ensure that all DOT data remains within the United States except as approved in writing by the DOT Authorizing Official or his/her designee. (2) The Contractor shall provide DOT (or DOT- designated third party contractors) access to the Contractor's and subcontractors' facilities, installations, operations, documents, records, databases, and personnel used in performance of the contract. The Contractor shall have the means to support DOT's request for access 24 hours per day, 7 days per week which may be necessitated due to a security incident, breach or other security matter. (3) The Contractor shall provide access to the extent required to carry out IT security inspections, investigations, and/or audits to safeguard against threats and hazards to the integrity, availability, and confidentiality of DOT information or to the functions of information technology operated on behalf of DOT, and to preserve evidence of criminal activity. (4) Upon termination of the contract or earlier, upon request, the Contactor shall provide to the DOT Authorizing Official or his/her designee all DOT data, source code, or database files, in a format specified by the DOT Authorizing Official or his/her designee. (j) Monthly Deliverables: The Contractor shall provide, on a monthly basis, the following information in NIST Security Content Automation Protocols (SCAP) XML data formats: (1) Device inventory (type of device and software); (2) Medium and High Vulnerabilities for each device; (3) Deviations from approved Configuration Baselines for each device; and (4) Additional information as required by OMB or the Department of Homeland Security (DHS) as indicated in the Departmental Cybersecurity Compendium. (k) Quarterly Deliverables: The Contractor shall provide, on a quarterly basis, the following information in a format specified by the COTR: (1) Plan of Action and Milestones (POA&M) - The Contractor shall prepare a draft of the POA&M associated with known weaknesses at the completion of the initial security assessment. The Contractor shall collaborate with the DOT System Owner, Information System Security Officer/Manager (ISSO/ISSM) and DOT Authorizing Official to obtain necessary information to complete the POA&M to meet DOT guidelines specified in the DOT Departmental Compendium. The POA&M approved by the DOT Authorizing Official shall be included in the initial authorization package. Upon entering Continuous Monitoring phase, the Contractor shall update the POA&M at least quarterly to ensure it contains all known system security weaknesses discovered through security assessment, continuous monitoring, internal and external audits, and related activities that examine security and IT controls of the contractor information system. The POA&M update shall also include progress on corrective actions for weaknesses previously identified. (l) Annual Deliverables: The Contractor shall provide, on an annual basis, the following documents to the contracting officer and COTR: 1. Updated security risk management documentation: a. System Security Plan - The Contractor shall review and update the System Security Plan at least annually to ensure the ...