E-6B CLS – Mandatory Subcontractor Flow Down – PWS
Certification of Vendors (Applicable to CLIN 0X01)
The Contractor shall ensure that all repair sites and sources for E-6B material, if not already on the Qualified Vendor Listing, are Federal Aviation Administration (FAA) or Original Equipment Manufacturer (OEM) certified, and are in compliance with FAR 46.202-3 and 46.203. Final certification shall be provided by the TOCOR. The Contractor shall maintain a file of all vendor FAA certificates when FAA certified sources are utilized, and make the digital file available for Government inspection when requested. The Contractor is responsible for flowing all contractual requirements through their vendors to their sub-vendors.
Antiterrorism Level I Training
All permanently assigned contractor employees, to include subcontractor employees, requiring access to government installations, facilities, and controlled access areas shall complete AT Level I awareness training within 30 calendar days after task order start date. The Contractor shall submit certificates of completion for each contractor employee and subcontractor employee to the TOCOR or to the Task Order Contracting Officer (TOCO), if a TOCOR is not assigned, within 30 calendar days after completion of training. AT level I awareness training is available at website https://jko.jten.mil.
Operations Security Program
Contractor employees, to include Subcontractor employees, shall comply with host command approved Operations Security (OPSEC) awareness training. The Contractor shall provide OPSEC protection for all classified information (as defined in Federal Acquisition Regulations (FAR) 2.101) and sensitive information (as defined in Title 15, United States Code, Section 278g-3(d)(4)). The Contractor shall abide by the guidance contained in the E-6B Mercury Security Classification Guide (SCG). The Contractor shall ensure Subcontractor implementation of OPSEC requirements for all tasks accomplished under this task order.
Diminishing Manufacturing Sources and Materiel Shortages Readiness Projects
The Contractor shall develop processes to identify and track DMSMS potential Readiness Projects. DMSMS Readiness Projects require the contractor to coordinate and interface with vendors, OEM(s), E-6B FST, DoD Obsolescence Teams, and NAVAIR Test Teams to identify DMSMS or obsolete parts that are no longer sustainable and could negatively impact fleet readiness. The Contractor shall recommend DMSMS solutions to the TOCOR for consideration and approval. Once a DMSMS Readiness Project is submitted, reviewed and approved by the TOCOR, the Contractor shall report project status during monthly OMT teleconferences.
The Contractor shall actively monitor subcontractors and suppliers to investigate and report on potential events that might prompt the operation of Task Order Special Requirements ClauseTOH-1.
The Contractor shall develop processes, when applicable, to track and identify potential DMSMS efforts to include:
- Re-establish repair / depot capabilities to include tooling, development of automated test equipment, test / repair manuals and procedures;
- Develop alternative products / parts, to include Additive Manufacturing alternatives;
- Convert commercial products / parts into a useable E-6B configuration;
- Restart a limited product / part production run;
- Develop limited or full repair capability of a previously non-repairable product / part;
- Identify products / parts for Reverse-Engineering;
- Conduct Life-of-Type or bridge buys.
Cyber Security Requirements
The Contractor shall provide a system security plan and any associated plans of action developed to satisfy the security requirements of DFARS 252.204.7012 and NIST references in accordance with System Security Plan, CDRL A012. This plan shall describe the Contractor’s unclassified information system(s) / network(s) where CDI associated with the execution and performance of this task order is processed, stored, or transmitted. The Contractor shall provide the Government with access to the system security plan(s) and any associated plan of action for each of the Contractor’s tier one level Subcontractors, vendors, and / or suppliers, who process, store, or transmit CDI associated with the execution and performance of this task order. If implementation of the security requirements is not complete, the Contractor shall develop and implement plans of action to describe how and when any unimplemented security requirement will be met. Wireless Local Area Network (WLAN) capability is not provided by the Government. Any WLAN implementation by the Contractor shall be in accordance with DoDI 8420.01, Commercial Wireless Local Area Network (WLAN) Devices, Systems, and Technologies in addition to the requirements of NIST SP 800-171. If implemented by the Contractor, unclassified WLAN components / network shall be included in the System Security Plan, CDRL A012.
At the Post-Award Conference, the Contractor and the Government will identify and affirm marking requirements for all CDI, as prescribed by DoDM 5200.01, Volumes 2 and 4. The Contractor shall develop any associated documentation, as needed and mutually agreed upon, in the execution and performance of this task order. The Contractor shall document, maintain, and provide a record of all Tier 1 level suppliers in accordance with Contractor’s Record of Tier 1 Level Suppliers Receiving / Developing Covered Defense Information, CDRL A013, a record of all tier one Subcontractors, vendors, and / or suppliers who will develop or receive CDI associated with the execution and performance of this task order. The Contractor shall restrict unnecessary sharing and flow-down of any CDI, based on a clear “need-to-know” basis, and in accordance with the marking and dissemination requirements developed and / or specified under this task order.
The Contractor shall flow-down the requirements listed herein to their tier one level Subcontractors, vendors, and / or suppliers. If a Subcontractor / vendor does not agree to comply with these terms, then CDI shall not be flowed down to that Subcontractor / vendor nor shall CDI reside on any of the Subcontractor’s / vendors information systems.
Program Protection and Management
The Contractor shall develop and execute a Program Protection Implementation Plan (PPIP), which shall comply with the E-6B PMA-271 Program Protection Plan (PPP) (Appendices B, D and E) and the DD Form 254 (See Attachment 3). The PPIP shall be submitted in accordance with PPIP, CDRL A014. The Contractor shall flow down program protection requirements to all Subcontractors and vendors. To ensure effective and efficient protection of essential program information, technologies and systems, and in accordance with OPSEC requirements outlined in Section 4.4.4 of the PPP, the PPIP shall include the below requirements:
- Contractor’s Security Managementstructure;
- Proactive Cyber, Supply Chain (Infrastructure and Material), Risk Management, Software Assurance and Counterfeit protection plans in accordance with DFARS Subpart 246.870;
- The Critical Program Information (CPI) and Critical Component (CC) physicallocations under the Contractor’s or Subcontractors’ / vendors’ control;
- The vulnerability of the CPI / CC under the Contractor’s or Subcontractors’ / vendors’ control to intelligence collection in the following areas: Human Intelligence (HUMINT); Open Source Intelligence (OSINT); Signals Intelligence (SIGINT); Imagery Intelligence (IMINT); Computer Network Operations(CNO);
- Countermeasures implemented at each site where CPI / CC is held, from the following security domains (as applicable): physical security; personnel security; telecom and network security; application / systems development; cryptography; security architectures; operational security; network and IT access control, supply chain and supply chain data;
- Any special handling procedures required for CPI / CC, and procedures for recovering CPI / CC in the event of a mishap. The Contractor shall address these procedures for all phases in the event of mishap in the PPIP;
- The Contractor’s PPIP shall implement processes to report security loss, compromises, spillages in accordance with DoDD 5205.02E, DoDM 5220.22M, DoDM 5200.01 (Volumes 1 – 4), and SECNAVINST 5510.36;
- Procedures for ensuring compliance with U.S. Government export statutes and regulations;
- Procedures for public release of program information;
- The Contractor shall ensure that all repair sites and sources for E-6B material are inspected and certified to comply with the PPP. Should a Subcontractor / vendor be deemed non- compliant, TOCOR notification is required;
- The Contractor shall provide the Government with a listing of verified compliant and non- compliant sub-vendors annually in accordance with Verified Compliant Vendor Report, CDRLA015.
Supply Chain Risk Management
The Contractor shall mitigate supply chain risk in the provision of supplies and services to the Government for the E-6B platform. The Contractor shall support the Government in managing a SCRM program. The Contractor shall identify a SCRM Coordinator to manage E-6B supply chain risks. The Contractor shall provide the name and contact information of the SCRM Coordinator to the TOCO within 10 working days of task order award. The Contractor shall notify the TOCO of a change in the SCRM Coordinator assignment within 48 hours of the change.
The Contractor shall support the Government in maintaining a Supply Chain Critical Components List (SCCCL). The SCCCL shall be updated whenever a component reaches obsolescence and requires replacement. The SCCCL shall be delivered in accordance with CDRL A016.
The Contractor shall determine which system components, services, and/or functions of National Security System (NSS) or non-NSS supporting NSS should integrate SCRM practices based on an analysis of the criticality of those system components, services, and/or functions in achieving, protecting, or impacting the mission critical functions of NSS or non-NSS supporting system, to include data transiting, processed by, or stored therein. The Contractor shall utilize the SCCCL when assessing systems or subsystem components in accordance with Obsolescence Alert Notice, CDRL A008.
The Contractor shall develop and maintain a listing of all supply sources and vendors, including foreign sources and vendors, to identify the sources used to procure all items. Utilizing their visibility into the E-6B supply chain, the Contractor shall develop an E-6B Supply Chain Suppliers’ mapping matrix that will identify lower tier vendors and how they relate to the E-6B Supply Chain and the SCCCL. The matrix shall be delivered quarterly in accordance with Supply Chain Suppliers’ Mapping Matrix, CDRL A017. The Contractor shall identify the risks to the E-6B supply chain and develop risk mitigations and plans to counter risk in accordance with the E-6B PPP. Mitigations and plans shall be submitted in accordance with Program Management Report, CDRL A001, and Obsolescence Alert Notice, CDRL A008. The Contractor shall flow down supply chain risk management requirements to all Subcontractors and lower tier vendors. The Contractor shall flow down in all vendor task orders the requirement for voluntary compliance and reporting with the Cybersecurity Maturity Model Certification version 1.0. The results of voluntary compliance shall be included in Supply Chain Suppliers’ Mapping Matrix, CDRLA017.
Discrepancies shall be reported to the Government as realized in accordance with Supply Chain Suppliers’ Mapping Matrix, CDRL A017.
Subcontractor / Vendor Cost Data Reporting
The Contractor shall:
- Flow down Contractor Cost and Software Data Reporting (CSDR) requirements to any Subcontracts / Procurements valued over $50 million or any Subcontracts / Procurements valued between $20 million and $50 million that are designated by the Cost Working Integrated Product Team (CWIPT) as high risk, high value, high technical interest or an middle-tier acquisition (804);
- Notify the Government of any Subcontractor / vendor changes or new subcontracts awarded for subcontracts that exceeds $50 million;
- Flow down DD Form 1921-3, CDRL B004, requirements to any Subcontractors / vendors required to submit Cost and Software Data Reporting.