#PERFORMANCE WORK STATEMENT (PWS) For Identity Management Shared Authentication Platform Support
Consumer Identity Management is a problem the Government has tried to solve in a number of ways over the past decade. 18F and a team across the government is now tasked with launching a new solution by November 2016. Our efforts are clearly described on our blog and further detailed in Executive Order 13681.
In addition, our current public work is available at this GitHub repository.
The overall objective of the 18F Identity Management Project is to develop a comprehensive identity solution for government agencies, using a combination of custom built and commercial products. This particular task order is to procure an agile engineering team to support the implementation of this tool with the code bases of agencies that plan to use the tool. This team will work with the team at 18F Team to do the following:
-
Integrate the 18F identity solution with agency code bases
-
Support 18F in solving identity issues faced by agencies
-
Improve the 18F identity solution to help meet agency needs
The Identity Management Team at 18F is looking for a contractor to deliver a number of technical features by November 2016. The Identity Management team, based at 18F, includes developers, designers, and User Experience (UX) researchers, all working together to build a consumer facing shared authentication platform that can be used by different government agencies.
This Performance Work Statement (PWS) describes the technical and administrative components of the requirement as follows:
-
Task requirements that the Contractor must successfully perform (Section 4).
-
Operational requirements that must be met while the Contractor performs (Section 5).
-
Generalized administrative requirements that are contract-oriented such as type of contract, period of performance, and any other terms and conditions (Section 6).
-
Invoicing Instructions for Contractor to receive payment (Section 7).
The Contractor will provide the following services:
-
Contractor will work with agency partners and 18F Identity Management team to build integration (using Security Assertion Markup Language (SAML) or other appropriate technology) between agency web properties and 18F identity management product.
-
Contractor will provide feedback to 18F Identity Management team regarding the requirements of agency partners.
-
Contractor will work with 18F Identity Management team to improve the 18F identity management product to meet the requirements of the agency partners.
-
Contractor shall adhere to US Web Design Standards or other design standards as developed by the 18F team.
-
As part of this being purchased off of the Agile Blanket Purchase Agreement (aBPA), work will be conducted in two-week sprints and reviewed at the end of each sprint for acceptability before moving on. The contractor and government may mutually agree to alter sprint length as needed.
- Provide or configure hosting of source code, or web sites
The Contractor shall provide a Project Manager as the primary point of contact for the government’s program office to enable timely problem resolution, reporting in accordance with Program Management methodologies, and properly aligning staffing requirements. Sprint plans will be developed collaboratively with the Product Owner from the Identity Management Team, as well as staff from the 18F Acquisitions team.
Per agile development principles, the Contracting Officer’s Representative (COR) and Contractor will be expected to work with the Product Owner (as determined by 18F), and an 18F Product Manager. Refer to Attachment 2, for Government Roles and Responsibilities.
The Contractor shall be responsible for providing timely notification to the COR, 18F Product Manager, and Identity Management Product Owner when activities or issues outside of the Contractor’s control may directly impact the Contractor’s performance. This notification shall be provided in writing or via email within 24 hours of any anticipated or known impact.
In lieu of a typical status report, Contractor's progress shall be documented for each sprint's period of performance as follows:
-
Links to the Github issues/commits/branches
-
Screenshot, links, or other documentation from the shared project management system reflecting completed features, including number and percentage of completed sprint tasks (e.g. percentage of tasks completed)
Contractor’s Project Manager shall be responsible for daily operations as well as coordinating and communicating with the 18F Product Manager. Daily operations may include:
-
Daily standup via video
-
Chat operations via Slack
-
Manage and update user stories + workflow tasks in shared project management system
The Contractor shall provide qualified personnel commensurate with this task's performance work statement, in terms of necessary skills at the requisite level of knowledge and experience.
Broadly, a team assigned to 18F is expected to have experience with:
-
Identity Protocols, such as:
- SAML
- OAuth
- OpenID Connect
-
Highly scalable systems, meaning 100s or 1000s of Transactions per Second
-
Building and testing public facing sites and tools
-
Managing multi-terabyte operational datasets.
-
Understanding and analyzing multi-terabyte operational datasets (Big Data)
-
As developers will likely be sitting side-by-side with our clients, they also need to be personable, comfortable working with unfamiliar codebases and be able to adapt quickly to our customers needs.
In addition to the skills articulated on the Labor Categories for the Blanket Purchase Agreement, Contractor personnel shall have a strong technical experience base in a majority of the following:
Front End Engineers shall be experienced in the following areas:
-
Scrum Development
-
JavaScript
-
CSS (Cascading Style Sheets)
-
Customer Service Skills
-
User Experience Testing
-
Experience contributing to and/or using open source software
Back End Engineers shall be experienced in the following areas:
-
Rails and other web frameworks such as NodeJS or Django
-
Contributing to and/or using open source software
-
Cloud deployment in Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) environments
Full Stack Engineers shall be experienced with a combination of the above Front and Back-end areas.
Security Engineers shall be experienced in the following areas:
-
SSO (Single Sign On) mechanisms such as SAML and OAuth2.0
-
Performing security audits, risk analysis and threat modeling
-
Symmetric and public-key cryptography
All staff for this project must be listed as Key Personnel.
To ensure successful performance of this task, Contractor shall satisfy the following requirements:
a) The Contractor shall assign personnel whose résumés are submitted with its quotation to perform this task order.
b) If any individual proposed as Key Personnel becomes unavailable during the course of the solicitation and evaluation process, the Contractor shall notify the Contracting Officer immediately and provide a substitute person with résumé. Any Key Personnel proposed who are not currently employed by the Contractor shall be identified as such and an additional letters of intent signed by the proposed Key Personnel shall be provided that indicates that person's intent to be employed by the Contractor if awarded this task order.
c) The Contractor agrees that during the duration of the base period of performance of the task order, no Key Personnel substitutions shall be made unless necessitated by an individual’s sudden illness, death, or termination of employment for cause. In any of such event, the Contractor shall promptly notify the COR and provide the information required by paragraph (e) below on the proposed replacement for Government approval. No substitutions of Key Personnel shall be made except in accordance with this provision.
d) All requests for substitutions/additions of Key Personnel must include a detailed explanation of the circumstances necessitating the proposed substitution or addition, a complete résumé for the proposed substitute or addition including skills, experience, education, training, and security level. As determined by the Contracting Officer, all proposed substitutes/additions must have qualifications that meet or exceed the qualifications of the person to be replaced.
e) The Contracting Officer, or duly designated COR, will evaluate the request(s) for substitutions/additions of Key Personnel and the Contracting Officer will notify the Contractor, in writing, of approval or disapproval. Disapproval of the proposed individual(s) shall not provide grounds for non-performance by the Contractor or form the basis of any claim for monies, delivery schedule extension, or any other equitable adjustment.
f) The Project Manager/Technical Lead will be a direct liaison to the COR, 18F’s Project Manager, and the Identity Management Product Owner. The Technical Lead/Project Manager is responsible for the supervision and management of the Contractor’s personnel, technical assistance, and interface. Desired skills and experience for the Technical Lead/Project Manager include:
-
Experience in technical leadership.
-
Ability to rapidly prioritize competing requirements.
-
Ability to understand and simplify customer requirements.
-
Ability to communicate end user feedback to technical and design leads.
-
Strong communication skills.
-
Proven knowledge of industry standards.
The Technical Lead/Project Manager must have a full understanding of the technical approach discussed in the Oral Presentations and delivered by the Contractor after award. NOTE - the labor category proposed for this Technical Lead/Project Manager is at the Offeror's discretion.
The Government estimates this project will require no more than 4-5 personnel --- with all but the Product Manager expected to be close to full time, though the exact number of hours may vary week to week. Contractors are encouraged to use their own estimating methodology to determine the skill mix and level of effort necessary to successfully perform this task order.
REQUIRED DELIVERABLES / REPORTS DUE DATES DESCRIPTION OF DELIVERABLE CONTENT
Status Reports 1 business day after each sprint A report of progress throughout each sprint Code Repository of Product End of task order Version-controlled Open Source repository of code that comprises prototype Development Prototype End of second sprint, and every sprint thereafter In-progress development prototype, accessible on the web via staging server / development server Transition plan 3 business days after the conclusion of the second-to-last sprint See Section 5.7.1 of the PWS
Code deliverables shall be submitted via the Github repository. A copy of any document deliverables shall be submitted to the COR, Product Owner, and 18F Product Manager, and uploaded to the AASBS (Assisted Acquisition Services Business System) web portal. Refer to Section 6.11 for additional information on the AASBS web portal.
Within approximately 5 days of each sprint's conclusion, the Government will inspect, test, review and accept all periodic reports and task deliverables, as applicable.
Only the COR, and their designated alternate, has the authority to accept or reject all deliverables. The COR will provide written final acceptance of all deliverables to the Contractor within approximately 30 days from the end of the task order, via electronic means.
Any Contractor performance to correct defects found by the Government as a result of quality assurance surveillance and by the Contractor as a result of quality control, shall be in accordance with FAR 52.246-6, Inspection – Time-and-Materials and Labor-Hour. The COR will monitor compliance and report to the Procurement Project Manager.
The Contractor shall consult with the COR to determine what is appropriate, effective, and essential for system documentation. The Government requires, at a minimum, that the Contractor will generate comprehensive and complete documentation, both within the code itself, within the source code version control system (e.g., through proper use of descriptive commit messages, issue tracking, pull requests, etc.), and as appropriate, in separate documentation, provide artifacts, and create new user stories based on each sprint.
The Government will use the attached draft Quality Assurance Surveillance Plan (QASP) to monitor the Contractor’s performance. The QASP will provide oversight help to ensure that service levels reach and maintain the required levels for performance of this task. Further, the QASP provides the COR with a proactive way to avoid unacceptable or deficient performance, and provides verifiable input for the required Past Performance Information Assessments. The QASP is a living document and may be updated by the Government as necessary. Any updates to the QASP will be provided to the Contractor. The draft QASP will be updated within 14 days of contract kick off meeting.
The Contractor shall:
a) Ensure and agree that all deliverables, products, licenses, designs, data, documentation, tests, user research notes, source code, configuration settings and files, and materials developed throughout this task order will be the property of the U.S. Government and in the public domain.
b) Two weeks prior to task order conclusion, provide a brief Transition Plan for all deliverables, products, and materials in coordination with the COR, 18F Product Manager and Product Owner from GSA.
c) Coordinate with the COR and potentially another vendor, and implement the Transition Plan according to the COR’s direction.
d) Provide assistance to the COR, 18F Product Manager, and potentially other Government staff to stand-up the application.
During the transition to the Government, or a new contractor, the Contractor shall perform all necessary transition activities. Expected transition activities may include, but not be limited to, continuation of full services to 18F and other customers; participation in meetings with the Government or new contractor to effect a smooth transition and provide detailed information on the operation of all deliverables, at COR's discretion; training of new personnel, either Government or new contractor, during transition period; and appropriate close-out of any outstanding technical and related performance elements for this task.
Final report shall include a list of sprint tasks completed, documentation, and link to code repository developed for 18F. Should the Contractor be terminated prior to the end of the period of performance, the Contractor shall transfer all project materials to the COR within two weeks of the COR’s request.
No travel outside of the Baltimore-Washington region is anticipated or will be required as part of this task order.
Before award of this task order, Offerors shall provide a signed Organizational Conflict of Interest statement with their quotation submission, if applicable, which describes concisely all relevant facts concerning any past, present, or planned interest (financial, contractual, organizational, or otherwise) relating to the work to be performed under the proposed task order and bearing on whether the Offeror has a possible organizational or personnel conflict of interest with respect to:
-
Being able to render impartial, technically sound, and objective assistance or advice, or
-
Being given an unfair competitive advantage.
The Offeror may also provide relevant facts that show how its organizational structure and/or management systems limit its knowledge of possible organizational conflicts of interest relating to other divisions or sections of the organization and how that structure or system would avoid or mitigate such organizational conflict.
No task order award shall be made until any potential conflict of interest has been neutralized or mitigated to the satisfaction of the Contracting Officer. The contractor shall notify the Contracting Officer in writing as soon as any conflict of interest is identified and will propose steps for mitigating the conflict.
Refusal to provide the requested information or the willful misrepresentation of any relevant information by an Offeror shall disqualify the Offeror from further consideration for award of a task order under this solicitation.
If the Contracting Officer determines that a potential conflict can be avoided, effectively mitigated, or otherwise resolved through the inclusion of a special contract clause, the terms of the clause will be subject to negotiation.
This is a labor-hour order under master Agile BPA terms and conditions.
The Period of Performance (POP) includes a base period of 3 months, with 3 additional option periods, each 3 months in duration. Further, a contingency of up to 6 months may be exercised . The POP is expected to begin within 10 calendar days after award.
The primary place of performance will be at the government’s facility at GSA Headquarters at 1800 F St. NW, Washington, DC, and at Alternate Sites including partner agency facilities. 18F is a distributed team and some 18F staff involved in this contract may not be located in Washington, DC. Staff may also be distributed or work at their homes, per agreement with the Government Product Owner.
Business core hours shall be 0900 to 1800 local time, Monday – Friday on Government scheduled work days. The contractor may set its own work hours except that the contractor shall be available for technical contact by the Government between the hours of 0900 and 1800 local time on Government work days.
The contractor shall support the Government in its conformance with Section 508 throughout the development and implementation of the work to be performed.
Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d) requires that when Federal agencies develop, procure, maintain, or use electronic information technology, Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who do not have disabilities, unless an undue burden would be imposed on the agency. Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal agency, have access to and use of information and data that is comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency.
The following standard is applicable for compliance:
1194.22 Web-based Intranet and Internet Information and Applications.
The contractor should review the following websites for additional 508 information:
The Government's team, Contracting Officer, and COR shall hold a Kick-Off Meeting/Post-Award Conference. Ideally, this will physically located in Washington, DC, but may be done virtually with Contractor’s team and other relevant Government staff to review and clarify the project’s objectives, expectations from the Government, and address any questions the Contractor may have. Discussion topics shall include, but not be limited to:
-
Introduction of the Contractor and Government Staff;
-
Understanding of the workflow;
-
Project management expectations;
-
Agreement on communication methods; and
-
Discussion of any other relevant specific concerns.
The Kick-Off Meeting/Post-Award Conference will take place within 10 calendar days from award.
The Contractor shall provide any finalized Contractor Teaming Arrangements (CTAs)/Subcontractor arrangements at this time.
This task order is not being used to procure personal services prohibited by FAR 37.104, Personal services contract.
To counter the circumstances that infer personal services and to preserve the non-personal nature of the contract, the contractor shall adhere to the following guidelines in the performance of the task:
-
Contractor provides for direct supervision of all contract employees assigned to the task.
-
Refrain from discussing the issues such as skill levels and hours, salaries, cost and funding data, or administrative and personnel matters affecting contractor employees with the client.
-
Ensure close communication/coordination with the Procurement Project Manager, reporting problems to the Procurement Project Manager as they occur (not waiting for a monthly meeting).
-
Do not permit government officials to interview potential contractor employees, discuss individual performance, approve leave or work scheduling of contractor employees, terminate contractor employees, assist contractor employees in doing their jobs or obtain assistance from the contractor in doing Government job.
-
Do not assign contractor personnel to work under direct government supervision.
-
Maintain a professional distance from government employees.
-
Provide contractor employees with badges, if appropriate, identifying them as contractors.
-
Ensure proper communications with the government (technical discussion and government surveillance is okay, but the Government cannot tell the contractor how to do the job).
-
Assign a task leader to the task order. The task leader or alternate should be the only one who accepts tasking from the assigned Government point of contact or alternative.
-
The government has the right to reject the finished product or result and this does not constitute personal services.
-
When travel is required for the performance on a task, the Contractor personnel are only to travel as directed by their contract management.
Performance of this task order may require that personnel have access to Privacy Information. Contractor personnel shall adhere to the Privacy Act, Title 5 of the U.S. Code, Section 552a and any other applicable applicable rules and regulations.
The Government will furnish the data and scripts needed at time of award. No other hardware or software will be provided by the Government.
Vendors are advised that 18F will publish on a publicly available website documents associated with this requirement, including any Requests for Quotation (including amendments), Question and Answer exchanges with vendors (source-identifying information removed), and other relevant information that is not confidential/proprietary in nature or source selection sensitive information that would otherwise implicate procurement integrity concerns.
Upon award, 18F will publish the total price of the selected proposal and certain non-source-identifying data (e.g., the number of bids, the mean price, median, and standard deviation of price). During the performance of this task order, 18F will similarly publish source code, data related to project management (e.g., user stories, milestones, and performance metrics), and top-line spending data.
18F intends that any data or deliverable created as a result of the work performed under the task order be committed to the public domain.
Further, 18F intends to commit the following items, to the public domain, at a minimum:
-
All data, documents, graphics and code created under this task order including but not limited to, plans, reports, schedules, schemas, metadata, architecture designs, and the like;
-
Any and all new open source software created by the contractor and forks or branches of current open source software where the contractor has made a modification; and,
-
Any and all new tooling, scripting configuration management, infrastructure as code, or any other final changes or edits to successfully deploy or operate the software.
The Contractor shall use open source technologies wherever possible, in support of the 18F Source Code Policy. All licenses must be expressly listed in the deliverable. Regardless of license(s) used (e.g., MIT, GPL, Creative Commons 0) the license(s) shall be clearly listed in the documentation.
If the contractor needs to use work that does not have an open source license, the contractor is required to request permission from 18F, in writing, before utilizing that work in any way in connection with the order. If approved, all licenses shall be clearly set forth in a conspicuous place when work is delivered to 18F.
If an open source license provides implementation guidance, the contractor shall ensure compliance with that guidance. If implementation guidance is not available, the contractor shall attach or include the license within the work itself. Examples of this include code comments at the beginning of a file or contained in a license file within a software repository.
The GSA AASBS (Assisted Acquisition Services Business Systems also known as IT Solutions Shop (ITSS)) web portal will be accessible to the Contractor during the performance of the task order and be used in the administration of the task order. This web-based system at https://portal.fas.gsa.gov/web/guest shall be used by the contractor to upload status reports, deliverables, invoices, and to respond to inquiries. The contractor shall maintain a current account on this system.
The following Points of Contact (POC) are applicable to this order:
Contracting Officer Representative (COR): Esther Kim, GSA, Technology Transformation Services (202) 826-7232
Alternative Contracting Officer Representative (ACOR): Michelle McNellis, GSA, Technology Transformation Services michelle.mcnellis@gsa.gov (202) 260-0551
18F Product Manager: Jessie Posilkin, GSA, Technology Transformation Services jessie.posilkin@gsa.gov (202) 406-4689
Identity Management Product Owner: Joel Minton, GSA, Technology Transformation Services, joel.minton@gsa.com
GSA Procurement Project Manager: Kit Lee, GSA, Assisted Acquisition Services (AAS) kit.lee@gsa.gov (415) 436-8730
GSA Contracting Officer: Lynda Luo, GSA, Acquisition Operations Division lynda.luo@gsa.gov (415) 522-4633
GSA Contract Specialist: Mark Mohler, GSA, Acquisition Operations Division mark.mohler@gsa.gov (808) 541-1999
The period of performance for each invoice shall be for one calendar month. The Contractor shall submit only one invoice per month per order/contract.
The Government reserves the right to audit, thus; the Contractor shall keep on file all backup support documentation for travels as applicable.
The Contractor’s invoice will be submitted monthly for work performed the prior month. The contractor may invoice only for the hours, travel and unique services used in direct support of the task order. The invoice shall be submitted on official letterhead and shall include the following information at a minimum.
-
Client Order ID Number
-
ACT Number
-
Prompt Payment Discount
-
Remittance Address
-
Period of Performance for Billing Period
-
Point of Contact and Phone Number
-
Invoice Amount
-
Skill Level Name and Associated Skill Level Number (for T&M or Labor Hour)
-
Actual Hours Worked During the Billing Period (for T&M or Labor Hour)
-
Clearly indicate both the current invoice’s monthly “burn rate” and the total average monthly “burn rate” (for T&M or Labor Hour)
-
Travel Itemized by Individual and Trip (if applicable)
-
Supporting documentation for travel including travel approval and receipts (if applicable)
All invoicing shall be done electronically. Password and electronic invoice access may be obtained through the AASBS web portal.
The Invoice and the Status Reports for the applicable billing period shall be entered into the AASBS portal within 5 to 10 calendar days after the end of the month. The Contractor shall submit invoices electronically by logging into the AASBS portal (https://portal.fas.gsa.gov), navigating to the appropriate order, and creating the invoice for that order and attach a copy of invoice, status reports with all required back-up documentation as applicable.
The Contractor shall NOT submit any invoices directly to the GSA Finance Center (neither by mail nor via electronic submission). If the invoices are acceptable, then the Procurement Project Manager and COR will approve them for payment and complete the information in the AASBS portal.
Invoices for final payment must be so identified and submitted within 60 calendar days from task completion and no further charges are to be billed. A copy of the written acceptance of task completion must be attached to final invoices. The contractor shall request for an extension from the COR for final invoices that may exceed the 60-day time frame.
The Government reserves the right to require certification by a COR before payment is processed, if necessary.
The Contractor shall submit a final invoice within 60 calendar days after the end of the performance period. After the final invoice has been paid the Contractor shall furnish a completed and signed Release of Claims (GSA Form 1142) to the Contracting Officer. This release of claims is due within 15 calendar days of final payment.
-
Government Roles and Responsibilities