Information Security Management/Cybersecurity. The objective of cybersecurity is to protect Marine Corps information from internal and external threats and attacks, while ensuring the confidentiality, integrity, and availability of information. To achieve cybersecurity objectives, the Contractor shall adhere to the requirements of Marine Corps Order (MCO) 5239.2B and DoD Instruction 8510.01, “Risk Management Framework (RMF) for DoD IT” for GCSS-MC/LCM Increment 1, and ensure that applicable personnel are certified in accordance with Appendix 4 in SECNAV M- 5239.2 Cyberspace Information Technology and Cybersecurity Workforce Management and Qualification Manual. The Contractor shall support all assessment and authorization activities throughout the system life cycle in accordance with the latest releases or revisions of the cybersecurity policies. The Contractor shall participate in cybersecurity and vulnerability assessment scan reviews and provide technical guidance and solutions implementing cybersecurity best practices which will increase the security of the system and mitigate or eliminate vulnerabilities. The technical guidance and solutions must align with applicable STIGs. The Contractor shall apply security updates and patches to software and operating systems and conduct verification testing. The Contractor shall document all findings in a weekly cybersecurity status report. The Contractor shall review IAVAs, Information Assurance Vulnerability Bulletins (IAVBs), Technical Advisories, Communications Tasking Orders, Marine Corps Directives, Operational Directives, CPUs, vulnerability alerts, and vendor notifications to determine applicability to GCSS-MC/LCM Increment 1 and to assess impact and provide assessment to the ISSM. The Contractor will track, report status and provide remediation recommendations for the vulnerabilities. The Contractor shall provide an impact assessment of CPUs if there is an impact to RICECPW and document the assessment in CR. This impact analysis shall include a detailed estimate to modify the RICECPW element for compatibility with the impacted CPUs. The impact assessment shall indicate if no changes are required. The Contractor shall maintain a Security Plan of Actions & Milestones (POAM) (CDRL E001) that lists all vulnerabilities identified by every assessment that identifies vulnerability. The Contractor shall provide encrypted RICECPW code to the GCSS-MC ISSM for code review when updates occur. When the Contractor receives the code review results from the GCSS-MC ISSM, the Contractor shall fix issues found or provide proposed justification for not fixing. The Contractor shall support all activities required for maintaining the ATO or Interim Authority To Test (IATT) and remaining compliant with the Federal Information Security Modernization Act (FISMA). These activities include, but are not limited to: Annual Security Reviews, Annual Security Control testing, Annual Contingency Plan testing, and update and submission of a quarterly Security POAM (CDRL E001). The Contractor shall support Cyber Readiness Inspection and IV&V events as required by the GCSS-MC ISSM. This task includes, but is not limited to: reviewing and updating systems security documentation, performing pre- assessment scans, analyzing vulnerability scan results, analyzing and updating configuration documentation, evaluating STIGs, evaluating test results, preparing and reviewing a Security POAM (CDRL E001), providing remediation options for vulnerabilities, and remediating the system. All vulnerabilities shall be identified in the Security POAM. The Contractor shall update GCSS-MC/LCM Increment 1 cybersecurity documentation in accordance with DoD policy and upload that documentation to a location identified by the ISSM where it is accessible to authorized individuals. The Contractor shall generate, review, and update cybersecurity documentation as required by DoD RMF processes. The Contractor shall support cybersecurity testing by maintaining a Cybersecurity Detailed Test Plan (DTP) (CDRL E002) that identifies the specific system tests and test procedures to be performed and all STIGs used. The Contractor shall support cybersecurity testing by providing a thorough Cybersecurity Risk Assessment that identifies the security posture of the system after a test. The Contractor shall identify any procedures not performed and detail the reason for non-compliance with pre-established DTP.
Appears in 2 contracts