2.2.1 Attachment B - PWS - Final

Procurement Sensitive
Performance Work Statement

Student Exchange Visitor Program (SEVP)
External Training Application (SETA)
U.S. Immigration and Customs Enforcement (ICE)

The Student and Exchange Visitor Program (SEVP)
March 3, 2021
ICE SEVP SEVP External Training Application (SETA) PWS
Table of Contents
Performance Work Statement ................................................................................................. 1
1.0 Project Title.................................................................................................................. 4
2.0 Background ...................................................................................................................... 4
3.0 Scope of Work .................................................................................................................. 5
4.0 Roles and Responsibilities ................................................................................................... 5
5.0 Technical Overview ....................................................................................................... 6
5.1 System Description ....................................................................................................... 7
5.2 Internal Interfaces ............................................................................................................. 7
6.0 DHS Enterprise Architecture Compliance .............................................................................. 7
7.0 SETA Environments Overview ............................................................................................. 8
8.0 Applicable Publications ....................................................................................................... 8
9.0 Tasks ............................................................................................................................... 8
9.1 O&M Support .................................................................................................................... 9
9.2 Project Management .........................................................................................................10
9.3 Maintain Data / Software Administration .............................................................................10
9.4 Identify Problem and Modification Process ...........................................................................11
9.5 Requirements Analysis Management ...................................................................................12
9.6 User Management ............................................................................................................13
9.7 Maintain System / Software ...............................................................................................13
9.8 Break-fixes and Security Management ............................................................................17
9.8.1 Emergency Break-fixes Implementation ...........................................................................17
9.8.2 Cybersecurity Management ....................................................................................17
9.9 Software Development Processes and Tools .........................................................................18
9.10 Disposition .....................................................................................................................19
10.0 Deliverables ...................................................................................................................19
10.1 Project Management Plan and High-Level Project Roadmap ..................................................20
10.2 Product Roadmap ...........................................................................................................20
10.3 System Lifecycle Management (SLM) Deliverables ..............................................................21
10.4 Enterprise Systems Assurance Plan (ESAP) ........................................................................21
10.5 Configuration Management ..............................................................................................21
10.6 Transition-out Plans ........................................................................................................21
10.7 Kick-Off briefing .............................................................................................................21
11.0 Key Personnel ................................................................................................................22
11.1 IT Project Manager (PM) - Level III ...................................................................................22
11.2 Training Content Project Manager (PM) .............................................................................22
11.3 Sr Technical Application Developer ...................................................................................23
11.4 Web Designer/Sr Applications Developer ...........................................................................23
12.0 General Requirements .....................................................................................................24
12.1 Period of Performance .....................................................................................................24
12.3 Hours of Operations ........................................................................................................24
12.4 Non-Personal Services .....................................................................................................24
12.5 Business Relations ..........................................................................................................24
12.6 Contract Management .....................................................................................................25
12.7 Contract Administration ...................................................................................................25
12.8 Subcontract Management ................................................................................................25
12.9 Organizational Conflict of Interest (OCI) ............................................................................25
12.10 Invoicing .....................................................................................................................25
12.11 Government Furnished Equipment (GFE)/Government Furnished Property (GFP) ..................25
12.12 Government Furnished Information (GFI) ........................................................................25
12.13 Security and Privacy ......................................................................................................26
12.14 Cybersecurity Language for High Risk Contracts ...............................................................33
Attachment A: List of Acronyms ...............................................................................................34
- Page i -
PROCUREMENT SENSITIVE INFORMATION

Attachment B: Performance Requirements Summary .................................................................37
- Page i -

Performance Work Statement

1.0 Project Title
Student and Exchange Visitor Program (SEVP) External Training Application (SETA)
2.0 Background
The Illegal Immigrant Reform and Responsibility Act (IIRIRA) of 1996 (Public Law 104-208)
contains a provision requiring the monitoring and reporting of the activities of foreign students and
exchange visitors while they reside in the United States (US). Section 64l(c) mandates that an
electronic data collection system be developed, for US approved institutions of higher education and
designated exchange visitor programs, to monitor non-immigrants possessing or applying for F, M,
and J class visas with a Certificate of Eligibility.
The Student and Exchange Visitor Information System (SEVIS) also allows the Department of
Homeland Security (DHS) to meet the requirements of the Enhanced Border Security and Visa Entry
Reform Act, (H.R. 3525) which was signed into public law (Public Law 1 07-173) on May 14, 2002.
The foreign student related provisions amend section 641 of IIRIRA (the law that requires SEVIS)
and applies to F, M, and J visa holders. These provisions include establishing an electronic means to
monitor and verify acceptance of a foreign student, or exchange visitor, by an institution (Form I-
20, Certificate of Eligibility for Nonimmigrant Student Status or DS-2019, Certificate of Eligibility
for Exchange Visitor Status); reporting within 30 days after the enrollment period the students who
fail to enroll; and the requirement for schools and exchange visitor programs to report additional
information on non-immigrants such as date of enrollment.
The Student and Exchange Visitor Program (SEVP) has been established as part of the Homeland
Security Investigations (HSI) National Security Investigations Division within U.S. Immigration and
Customs Enforcement (ICE). SEVP is responsible for delivering SEVIS, which is an Internet-based
application that facilitates timely electronic reporting and monitoring of international students,
exchange visitors (EVs), and their dependents in the United States. SEVIS enables schools and
program sponsors to transmit electronic information to DHS and the Department of State (DoS)
throughout a student's or EV's program in the United States. SEVIS is intended to improve customer
service by streamlining the application and adjudication processes. It also addresses deficiencies in
the current student and school’s system process by providing information technology solutions and
modifying business processes.
SEVIS allows schools to submit school certification applications, update certification information,
submit updates to the DHS that require adjudication, and create and update F1 (academic) as well as
M1 (vocational) student and dependent records. DHS Managers and Adjudicators have the capability
to adjudicate updates made to school records using SEVIS, and Principal Designated School
Officials and Designated School Officials (P/DSO) are notified through SEVIS of the adjudication
results. SEVIS also allows program sponsors to submit certifications forms for J1 visa program,
creating program designations, and updating program designation information. DoS personnel have
the capability to adjudicate information submitted by Responsible Officers and Alternate
Responsible Officers (R/AROs). R/AROs are notified through SEVIS of any adjudication results.
SEVIS shares information with other systems to better monitor the status of a student or EV
throughout their stay in the United States. This allows SEVIS to meet requirements of the Unifying
and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
4
Terrorism (USA PATRIOT) Act (Public Law 107-56 passed on October 26, 2001).
Among other things, the USA PATRIOT Act stated that for each non-immigrant for whom
information is collected under the IIRIRA Section 641, the Attorney General, in consultation with
the Secretary of State, will include information on the date of entry and Port of Entry (POE).
The Student Exchange and Visitor Program (SEVP) External Training Application (SETA) was
established as the training component of the Student Exchange and Visitor Information System
(SEVIS). The SETA project maintains Moodle and any other, OCIO directed, COTS/open-source
products as the learning management system, and designing, developing and implementing a training
curriculum for the SEVP program. Moodle is the learning management system that allows SETA
users to access course material for their training.
3.0 Scope of Work

The Contractor shall provide Break-Fix and Operations & Maintenance (O&M) support as well as
plan, design, and develop training modules for the SEVP External Training Application (SETA).
The Contractor shall implement support to include, but are not limited to, break-fixes, patching,
defects and security related work of the current O&M system as outlined in the OCIO Systems
Lifecycle Management (SLM) and Agile. All work will need to be approved by the Product Owner
(PO) and the Contracting Officer Representative (COR). It is the Government’s intention to
continually pursue improvements to processes and practices, which will result in meeting mission
requirements at the lowest possible cost. The Contractor shall partner with the Government to pursue
process improvements by evaluating existing processes and recommending improvements.
Regarding all support of this contract/order, the Contractor shall be aware that the Government and
other contractors are engaged in similar and supporting work in support of SEVP, which will require
close cooperation. Contractors are expected to form a cohesive team with all OCIO and SEVP team
members to include the Government and other contractors by fostering transparency and information
sharing for successful task execution.
4.0 Roles and Responsibilities

This list briefly outlines some of the roles and responsibilities for key federal personnel that the project team
will work with on a regular basis:
• Project Sponsor/ Product Owner: Represents the operational needs of the business unit and the system
users; participates throughout the SLM process to ensure that the system meets operational, security, and
user requirements; and answers to the System Owner.
• IT Project Manager: Serves as the central point of responsibility for project decisions and activities;
coordinates the technical aspects of the project; manages the project to achieve cost, schedule, and
performance goals; answers to OCIO.
• Requirements Owners: Internal system users; draft requirements; participate in the user acceptance
testing; and answer to their respective Unit or Section Chiefs.
• Information Systems Security Officer (ISSO): Performs security actions for an information system -
Ensures the implementation and maintenance of security controls in accordance with the Security Plan and
DHS policies; participates in planning and executing the SLM process by providing information security
expertise; ensuring that appropriate steps are taken to implement information security requirements
throughout the SLM process; reviewing and commenting on all SLM security documents; and answers to
5
the Security Area Manager, IAD.
• Information System Owner (ISO): Ensures required security documents and reviews are prepared and
included in the SLM; ensures adequate funding is available for implementation of security requirements;
answers to the Director of SEVP to the ICE CIO (the ICE CIO is the Authorizing Official (AO)).
Determines the degree of acceptable residual risk based on mission requirements, reviews the Security
Authorization (SA) package, and grants or denies Authority to Operate (ATO).
• Section 508 Coordinator: Coordinates efforts with project teams for Section 508 Assistive Technology
Interoperability compliance.
• ICE Privacy Officer: Ensures that technology implementations across ICE sustain privacy protections as
mandated by Section 208 of the E-Government Act of 2002 and Section 222 of the Homeland Security
Act. Answers to the Office of Information Governance and Privacy, Privacy Division
• Contracting Officer’s Representative (COR): Ensures that contractors meet the commitment of their
contracts/orders; facilitate proper development of requirements; and assist Contracting Officers in
developing and managing their contracts/orders to stay within the cost, schedule and scope of the
contract/orders. Here at SEVP the COR answers to the CO and the Director of SEVP.
5.0 Technical Overview

The Government will store/house SETA on the Amazon Web Services (AWS) Cloud. The
Contractor shall ensure that the AWS instance for the hands-on SMU system training faithfully
replicates the functions and performs like the production system.
The Contractor shall replicate security, authentication, user account data, and overall system
operations access. System users shall provide and maintain the hardware on the client tier. The
technical staff at ICE manages all other tiers. These three tiers are isolated from the client tier by a
perimeter network called the Demilitarized Zone (DMZ) provided by the AWS infrastructure. The
AWS configuration permits only Internet traffic to pass through predefined ports for HTTP
connection and secure sockets layer (SSL) connection to reach the SMU system training
environment. The internal firewall of the DMZ is also configured to allow Intranet traffic to pass
through predefined ports for virtual private network (VPN) connection to reach the SMU system.
The Resin application servers in the application tier are grouped into an application server cluster
where requests from the Web tier are distributed to the application servers.
The Contractor shall implement Kanban, the chosen Agile methodology for O&M, to manage and
optimize the flow of work. The Contractor shall track work items from the time they enter the system
to the time they leave, providing continuous indicators of the amount of Work in Process and the current
lead time. In other words, how long, on average, it takes an item to get through the system.
The Scrum framework at ICE is a lightweight process. It focuses on increasing the productivity
of teams while reducing wastes and redundant activities. All work items will be managed using
Kanban unless the PO and the ITPM deicide that some work items are better managed in Sprints.
For both methods, Confluence and SharePoint will be utilized for project documentation.
Note: Any exception must be approved by the Technology Transformation Committee (TSSC), and,
in certain cases, the adoption of some agile practices may be required.
6
5.1 System Description

• LAMP Stack on Amazon Web Services (AWS). Php 7.0.16, MySQL 5.6.36, Apache 2.4.25,
Amazon Linux version 4.4.44-39.55.amzn1.x86_64 used by Moodle
• Moodle learning management system (LMS) deployed as “LAMP stack” application in
SEVP AWS cloud
• Sharable Content Object Reference Model (SCORM) initial content development platform;
moved to eXperience API (xAPI/Tincan) for improved user interaction tracking capability
• Articulate StoryLine 3 used for content object packaging and export
• LearningLocker open source learning record store (LRS) is being used to collect and expose
extended user interaction dataset
• Network filesystem: Amazon Elastic File System (Amazon EFS)
5.2 Internal Interfaces

This section provides an example of one the systems that, in the future, may interface with another
SMU system. Additionally, this section is an example of the format and frequency of data
exchanges.
Table 1 describes the ICE systems that the SMU system interfaces with in relation to SETA.
Table 1. Internal System Interfaces
Format/
System Description Interface Protocol/ Frequency
Type Transport
Outgoing JSON On
ICE – SEVIS SEVIS provides data on SEVIS USERS Incoming RESTful Demand
6.0 DHS Enterprise Architecture Compliance

All solutions and services shall meet DHS and ICE Enterprise Architecture (EA) policies, standards,
and procedures. Specifically, the contractor shall comply with all of the following DHS EA
requirements:
• All developed solutions and requirements shall be compliant with the DHS EA;
• All IT hardware and software shall be compliant with the ICE EA Technical Reference Model
(TRM) Standards and Products Profile;
• Description information for all data assets, information exchanges, and data standards, whether
adopted or developed, shall be submitted to the Enterprise Data Management Office (EDMO)
for review, approval, and insertion into the DHS Data Reference Model and Enterprise
Architecture Information Repository;
• Development of data assets, information exchanges and data standards will comply with the DHS
Data Management SEVP Guidance MD 103-01 and all data-related artifacts will be developed
and validated according to DHS data management architectural guidelines; and
• Applicability of Internet Protocol Version 6 (IPv6) to DHS-related components (networks,
infrastructure, and applications) specific to individual acquisitions shall be in accordance with
the DHS Enterprise Architecture (per OMB Memorandum M-05-22, August 2, 2005) regardless
7
of whether the acquisition is for modification, upgrade, or replacement. All EA-related

component acquisitions shall be IPv6 compliant as defined in the U.S. Government Version 6
(USGv6) Profile (National Institute of Standards and Technology (NIST) Special Publication
500-267) and the corresponding declarations of conformance defined in the USGv6 Test
Program.
7.0 SETA Environments Overview

The cloud infrastructure, AWS, will host the SETA application. The Government will provide the
following environments:
• Virtual Development Workstations;
• Development Integration (DEV-INT);
• Functional Qualification Testing (FQT);
• Performance Testing (PERF);
• Staging (Pre-PROD); and
• Production (PROD).
The Government will provide support for these environments.
8.0 Applicable Publications
The Contractor shall abide by all applicable Federal, DHS, and ICE laws, regulations, policies,
standards, publications, manuals, and procedures.
Not all laws and regulations are listed below. The guidance listed provides ICE and/or DHS
implementation policies and/or procedures for higher level guidance. If newer versions of these
documents are officially released, the Contractor shall comply with these updated versions within a
timeframe established by the Government.
• ICE Technical Architecture Guidebook;
• ICE Technical Reference Model (TRM) (Standards Profile);
• ICE Enterprise Systems Assurance Plan;
• ICE Agile Development Framework;
• DHS Management Directive (MD) 4300.1, Information Technology Systems Security;
• DHS 4300A Sensitive Systems SEVP Guidance, Version 9.1, July 17, 2012;
• DHS 4300B National Security Systems SEVP Guidance, Version 8.0, December 27, 2010;
• DHS Management Directive (MD) 11042.1, Safeguarding Sensitive But Unclassified (For
Official Use Only) Information, January 6, 2005;
• ICE Management Directive (MD) 4003.1, Safeguarding Law Enforcement Sensitive
Information, March 23, 2007;
• ICE Management Directive (MD) 4001.1, Electronic and Information Technology and
Accessibility, March 12 2009;
• DHS Directive 047-01, Privacy SEVP Guidance and Compliance, July 7, 2011;
• The Government recommends that the Contractor use the Information Technology
Infrastructure Library (ITIL) framework in the performance of this task;
• DHS Memorandum: Class Deviation 15-01 from the Homeland of Security Acquisition
Regulation: Safeguarding of Sensitive Information, March 9, 2015
http://dhsconnect.dhs.gov/org/comp/mgmt/dhshr/emp/Documents/StandardsandSpecsGuide_
LTI.pdf.
9.0 Tasks
8
9.1 O&M Support

The Contractor shall provide SETA O&M support for both SEVP and DoS. The Contractor shall
plan, design, develop, and provide full O&M support as defined in the OCIO System Lifecycle
Management. The emphasis of this task will be to ensure that all stakeholder and system user needs
are met and the system continues to perform as specified in the operational environment.
Additionally, as O&M personnel monitor the current system, process improvement
recommendations should be provided. Changes will be required to fix problems, possibly add
features, and to make improvements to the system. This task will continue as long as the system is
in use.
The Contractor shall, as required, provide support to modify SETA or courses after delivery to
correct faults; improve performance or other attributes; adapt to a changed environment or
maintenance activities focused on anticipated problems; and perform preventative maintenance to
support a continuously operating and reliable, stable, and secure application.
In order to support creating effective content that is interesting and relevant in facilitating a solid
understanding of SEVP’s governing regulations and Final Guidance, the Contractor shall use proven
behavior science and cognitive learning principles. SETA shall provide cutting-edge technology,
strong writing, purposeful humor, and original animation. SETA shall be available in courses for all
user roles in production including F and M certified schools, P/DSOs, and R/AROs. SETA shall also
track and measure the training, progress, and results for individuals with an interface to an SMU
system.
Note: Work on all course(s) or module(s) are dependent on the availability of program
funds/funding.
O&M support should follow the latest version of the ICE System Lifecycle Management (SLM)
process for details. This document defines tasks, activities, and responsible parties. The ITPM and
Product Owner (PO) will update the product teams as changes occur. Systems operations activities
and tasks need to be scheduled, on a recurring basis, to ensure that the production environment is
fully functional and is performing as specified. The following is a checklist of systems operations
key tasks and activities:
• Ensure that systems and networks are running and available during the defined hours of
Operations;
• Implement non-emergency requests during scheduled Outages, as prescribed in the SLM and
Security;
• Ensure all processes, are documented in the operating procedures. These processes should
comply with the system documentation;
• Perform backups (day-to-day protection, contingency), as directed by the ITPM;
• Perform the physical security functions including ensuring adequate controls, Personnel have
proper security clearances and proper access privileges etc;
• Ensure contingency planning for disaster recovery is current and tested as required by OCIO and
the System Owner;
• Maintain performance measurements, statistics, and system logs. Examples of performance
measures include volume and frequency of data to be processed in each mode, order and type of
operations;
• Monitor the performance statistics, report the results and escalate problems when they occur; and
9
• The development of new baseline core requirements may be generated by other sources of
regulatory guidance or oversight, as needed.
9.2 Project Management

The Contractor shall provide project management support throughout the life of the contract to
include reporting, troubleshooting, presentations, creating, and maintaining project-related
documentation. The contractor shall provide support for meetings with stakeholders to include
organizing meetings and taking notes.
The Contractor shall support subsequent reviews and retrospectives until final production-ready
training applications are resident in the target architecture for SETA, and said applications are
approved and accepted by the government authority.
The Contractor shall communicate in writing the basis of estimate/burn down chart for each sprint
session and the specific impact information such as sprint blockers, proposed function point changes,
and production estimates that impact project milestones and completion times.
The Contractor shall not accept additional function point introductions as a result of follow-on
technical exchanges once the sprint bloc is closed and approved. Only the government Product
Owner(s) is authorized to revisit the work accepted for a sprint once approval is provided by the
government.
If OCIO requires that this application move from the commercial cloud to the ICE cloud
environment, the Contractor shall develop a migration plan and prepare the SETA team for the
migration following SLM process.
9.3 Maintain Data / Software Administration

The Contractor shall provide Data/Software Administration support to ensure that input data and
output data and data bases are correct and continually checked for accuracy and completeness. This
includes insuring that any regularly scheduled jobs are submitted and completed correctly. Software
and data bases should be maintained at (or near) the current maintenance level. The backup and
recovery processes for data bases are normally different than the day-to-day volume backups. The
backup and recovery process of the data bases should be done as a Data / Software Administration
task by a data administrator while communicating with the ITPM and PO. A checklist of Data /
Software Administration tasks and activities are:
• Performing a quarterly Verification / Validation of data, correct data-related problems;
• Performing production control and quality control functions (Job submission, checking and
corrections);
• Interfacing with other functional areas for day-to-day checking / corrections;
• Installing, configuring, upgrading, and maintaining data base(s). This includes updating
processes, data flows, and objects (usually shown in diagrams);
• Developing and performing data / data base backup and recovery routines for data integrity and
recoverability. Ensure documented properly in the Operations Manual; and
• Performing quarterly configuration/design audits to ensure software, system, and parameter
configurations are correct.
Following the successful deployment of each Course and final application, the Contractor shall
provide O&M support for all tiers for technical request. During this support period, the Contractor
10
shall identify and correct software, performance, and implementation failures. Corrective work
includes performing changes that reflect a change to requirements or technical specifications, as well
as updating and maintaining the required System Lifecycle Management (SLM) documentation,
including establishing and maintaining Interface Control Agreements (ICAs) with all interface
partners.
As a part of O&M support, the Contractor shall provide Tier 3 Support for all of the SETA Courses
once they are in production. Tier 3 Support includes but is not limited to, the following
responsibilities:
• Production support of the courses and insuring availability 24/7/365 in the event of production
issues;
• All maintenance activities that reach this level shall have a ticket opened and be reported using
the ICE approved tracking tool;
• Tickets will be prioritized and agreed to by the authorized government personnel and entered
into the ICE approved management-tracking tool;
• Known issues that cannot be addressed through a ticket shall be documented and coordinated
with the OCIO ITPM for guidance;
• Responding to all Maintenance Tier 3 trouble tickets within three (3) business days or agreed
upon in advance by the government;
• Implementing automated monitoring and alerting in order to proactively detect issues; and
• Supporting on-going training operations including but not limited to troubleshooting issues, code
fixes, and updating the system to meet new requirements.
Note: ICE oversees other contractors and federal personnel who will provide input for product
planning, solution architecture, and engineering.
The baseline core requirements supporting SETA are managed and updated, as needed, from the
Governing regulations and SEVPs Final Guidance below:
• SEVP’s governing regulations for students and schools - https://www.ice.gov/sevis/schools/reg

o INA § 101(a)(15)(F)(i) F-1.
o INA § 101(a)(15)(F)(ii) F-2.
o INA § 101(a)(15)(M)(i) M-1.
o INA § 101(a)(15)(M)(ii) M-2.
• e-CFR: Exchange Visitor Program – http://www.ecfr.gov/cgi-

bin/retrieveECFR?gp=&SID=1bc531bf257789e45b3049bff8b50d64&r=PART&n=22y1. 0.1.7.35
o INA § 101(a)(15)(J)(i) J-1.
o INA § 101(a)(15)(J)(ii) J-2.
• SEVP Final Guidance1 - https://studyinthestates.dhs.gov/sevp-guidance-for-comment
9.4 Identify Problem and Modification Process

One fact of any system is that change is inevitable. Stakeholders and users need an avenue to suggest
1 “Final guidance” is official SEVP guidance that establishes standards or requirements and is used in SEVP
adjudications. Final guidance is not open for public comment. It is intended to clarify law or regulation related to
SEVP adjudications and does not replace or supersede those laws or regulations.
11
change and identify problems. A User Satisfaction Review, which can include a Customer
Satisfaction Survey, can be designed and distributed to obtain feedback on operational systems to
help determine if the systems are accurate and reliable. Systems administrators, stakeholders, and
users need to be able to make recommendations for upgrade of hardware, architecture, and
streamlining processes. For the small in-house system, modification requests will be handled through
the in-house SETA inbox. For larger integrated systems, modification requests must be addressed in
Jira and may take the form a formal Change request and may require justification and cost benefits
analysis for approval by a requirement review board. A request for modifications to a system may
also generate an interface that will require additional approval documentation and SLM
documentation.
9.5 Requirements Analysis Management

The Contractor shall use SEVP’s Agile processes during requirements analysis, documentation, and
implementation for all training products. User stories will be created and written by the Government
to deliver the functionality for each Course/iteration of the training, which are based on the
regulations and Final Guidance.
The Contractor shall conduct requirements gathering that includes defining and recording
requirement(s) with the Requirements Owner(s) and the Product Manager(s)/Product Owner(s).
The Contractor shall deliver, manage, and update, as needed, a Product Roadmap that will
communicate upcoming release dates to ensure users will comply with SEVP’s training requirements
on the governing regulations and SEVP Guidance to meet their obligations as government-approved
users of the system.
The Contractor shall support SEVP's Agile process to collect and validate requirements by
supporting or facilitating Requirement Owner(s) and Product Manager(s)/Product Owner(s)
sessions, sprint planning, daily scrum sessions, scrum of scrums, sprint backlog reviews, and
subsequent reviews and retrospectives until final requirements validation is approved by the
SEVP/DoS Product Managers. Technical aspects of planning are subject to review and approval by
the SEVP Training Product Owner(s). The SEVP/DoS Program Managers will prioritize stories for
development and determine if the completed development is acceptable in accordance with Agile
processes.
The Contractor will use Agile processes to manage the project. The Contractor shall use Agile
development methodologies, such as Scrum or Kanban. Agile process is to be approved by the
Product Owner.
The Contractor shall be primarily concerned with the implementation cycle, which in the case of
Scrum includes Sprint planning, application design, development and testing, deployment, Sprint
review, Sprint retrospective, and ongoing operations and maintenance to include SETA Help. The
Government will dictate how long the sprints will be. The Government will provide a Scrum Master
to facilitate the Agile development process and perform the traditional duties of the Scrum Master
role.
The Contractor shall not put any content in production without the sign-off of Requirements
Owner(s) and Product Manager(s)/Product Owner(s). User stories will be drafted by the
Requirements Owners, finalized by the Product Manager(s)/Product Owner(s), and the Contractor
12
for implementation in the form of a product backlog. The Government Product Owner(s) will provide
prioritization of user stories.
The Contractor shall:

• Work with the requirements owners/working group to elicit requirements and assist in
developing user stories per requirements owner’s direction. Once the user story is approved by
the Product Owner, the contractor will develop any chores that define the software, hardware,
and application development requirements to achieve a functional requirement.
• Support the iterative, collaborative development tasks of defining what functions and user stories
will deliver a modular, scenario-driven training application that enhances user training for
systems administrators, users, and instructors.
• Provide the baseline function points and user stories that deliver compliance with ICE and DoS
policies, regulations, and guidance throughout the life cycle of the SEVP External Training
Applications/Courses.
Note: Work on all course(s) or module(s) will be dependent on the availability of program
funds/funding.
9.6 User Management

The Contractor shall manage user access to the SEVP External Training Application. Account
management tasks shall configure access for government personnel roles only. Account management
tasks shall include, but are not limited to:
• Add/remove roles in the training environment;
• Leverage production user accounts and roles from an SMU system;
• Reserve certain roles and training solely for government personnel (PIV enabled), such as law
enforcement training;
• Ensure school and program roles are available to trainees who do not yet have access to the SMU
system;
• Maintain the SETA Help Inbox:
o Response time window of four (4) hours during working hours;
o Track Help Tickets on SETAHELP Kanban board; and
• Route content issues to the SEVP Communications and Training Team (SCT).
9.7 Maintain System / Software

Daily operations of the system /software may necessitate that maintenance personnel identify
potential modifications needed to ensure that the system continues to operate as intended and
produces quality data. Daily maintenance activities for the system takes place to ensure that any
previously undetected errors are fixed. Maintenance personnel may determine that modifications to
the system and databases are needed to resolve errors or performance problems. Also, modifications
may be needed to provide new capabilities or to take advantage of hardware upgrades or new releases
of system software and application software used to operate the system. New capabilities may take
the form of routine maintenance or may constitute enhancements to the system or database as a
response to user requests for new/improved capabilities. Thus, new capabilities may require a new
problem resolution process.
The Contractor shall maintain and update SETA in accordance with government regulations and
SEVP’s Final Guidance.
13
Examples of the courses are as follows (but are not limited to):
• SEVP Basics: Provides an overview of SEVP, SEVIS, and the management of nonimmigrant
students (Existing course);
• SEVP 101: History and roles of SEVP and SEVIS in monitoring nonimmigrant students,
exchange visitors, and certified/designated institutions (Existing course);
• EVP 101: Overview of the EVP, the categories, and the responsibilities of the Private Sector
Exchange offices (Existing course);
• Intro to Initial SEVP Certification: Overview of federal regulation 8 CFR 214.3, which governs
SEVP school certification requirements. Outlines ongoing duties for certified schools. (Existing
course);
• Managing a Designation: Best practices for managing an exchange visitor program including
using SEVIS, reporting, process summary, and using Pay.gov (Existing course);
• SEVP 3: Maintaining School Records (Existing course);
• SEVP 4: Becoming a Nonimmigrant Student (anticipated future course);
• SEVP 5: Maintaining Student Records (anticipated future course);
• SEVP 6: Managing Exchange Visitor Records (EVP3) (anticipated future course).
This training application helps mitigate vulnerabilities within SEVPs main system, SEVIS, that
emphasizes critical information that our external users need to manage and/or stay compliant with
the regulations around F, M, and J visa categories. Emphasis shall be placed on the use of behavioral
science training techniques to mitigate known training deficiencies, which were borne from using a
business system as a training substitute for actual interactive coaching systems that are necessary to
raise training efficiency and trainee engagement.
The Contractor shall work extensively with users, Requirement Owner(s) (Requirements Working
Group), Product Manager(s)/Product Owner(s), Scrum Master, IT Project Manager(s). and the ICE
Engineers and Architects to ensure that the SETA continually delivers solution(s) and value to the
business unit and users.
The Contractor shall follow ICE SLM, using OCIO’s technical documents repository to include but
are not limited to:
• Code Development - Define, author, and deliver custom application code that conforms to
the requirements and application architecture provided by the government;
• Integration Support - Integrate solutions into a custom built, modernized system, provide
configuration, customization, and implementation services;
• Deployment Activities - Plan, create, and validate the implementation and deployment
instructions (version description document [VDD], deployment plan) for use during
application deployment;
• DevOps – As per the direction of the ITPM, work collaboratively and cross functionally
with other SEVP/OCIO contractors to implement Continuous Integration and Continuous
Delivery; and
• Participate in integrated program/project teams and/or Scrum teams to enhance communication,
14
discuss lessons learned, and facilitate rapid identification and mitigation of dependencies
between various functional entities.
The Contractor shall manage and update, as needed, a Plan of Actions and Milestones (POA&M)
and assist the Government in resolving any security issues that arise throughout the development,
testing, and/or deployment phases. The training application shall possess the ICE security
configurations and constraints to ensure policies regarding government restricted site access are
implemented and adhered to throughout the SEVP System Training application
The Baseline Functional Model will deliver full user-driven architecture functionality for every
profile with the ability to track and audit all actions by profile.
Based on mission need, SETA needs will be able to communicate training data to another SMU
system as requested.
The system shall keep records that track the user’s activities and accomplishments. The trainee shall
have the ability to return to the "Saved State" of the training application at the point of interruption
and resume training. The system must be able to create and maintain training certificates.
SETA shall audit the following systems and user activities:
• User access;
• Query strings submitted;
• Records viewed (e.g., selected from results list);
• Records created, modified, and deleted;
• Records or reports extracted or downloaded;
• Records or reports printed;
• Help Ticket management and reporting;
• Training courses viewed (e.g., selected from results list);
• Training courses; In Progress, Completed and Delayed;
• Training Test; In Progress, completed: passed or Failed and Delayed and/or graded;
• Training Records or reports extracted or downloaded for the government and for the user; and
• Training Records or reports printed.
Currently, SETA uses tableau and Learning Locker LRS as reporting tools. Tableau is connected to
a real time replicated RDS instance of SETA Database. Tableau runs a query against this replicated
server. Tableau is running extracts from this database for the dashboard also. The tableau dashboard
is not integrated with Moodle to show any reporting on any of its pages.
The SETA application shall have an overall availability of 99.995%.
The Contractor shall replicate the government provided development, testing, and Pre-Production
and production environments and adhere to a test-driven development (TDD) methodology
including the development and running of automated unit, integration, and functional testing.
Additionally, upon any release into production, the production version of the SEVP External
Training Application shall integrate into and be supported by the ICE's Product Backlog Repository
(currently JIRA) to track story and task progress, ICE's Defect Management tool (currently Serena
Tracker) to track SCRs, and shall use ICE's Source Code Version Management tool (currently
Subversion) for version control of the system’s application code base.
The "Definition of Done" is the establishment and approval of a base line of function points
15
aggregated into User Stories that will culminate in a functionally compliant environment within
which scenario-based training may be developed to replicate actual system functions and business
workflows with either sanitized SMU systems data or sample data that meets the SMU system’s
data quality standards.
The Contractor shall follow the ICE OCIO process prior to releasing into a production environment.
The Contractor shall manage and/or implement and require interfaces with existing SMU
applications.
For the development process, the Contractor shall use Agile development methodologies, such as
Scrum or Kanban. The Contractor shall be primarily concerned with the implementation cycle, which
in the case of Scrum includes Sprint planning, application design, development and testing,
deployment, Sprint review, and Sprint retrospective. SEVP currently implements Sprint. The
Government will provide a Scrum Master to facilitate the Agile development process and perform
the traditional duties of the Scrum Master role.
User stories will be written by the requirement owners and issued to the Product Manager(s)/Product
Owner(s) and the Contractor for implementation in the form of a product backlog. The Government
Product Owner(s) will provide prioritization of user stories.
The Contractor shall use the Government-provided Product Backlog Repository and defect
management tool, currently JIRA, to track user story and task progress.
The Contractor shall use the Government-provided Source Code Version Management tool,
currently Subversion, for version control of the code base.
The Contractor shall use the Government-provided Continuous Integration (CI) toolset, currently
Jenkins, for automated builds and deployments to all environments.
The Contractor shall use an industry standard unit testing library, such as JUnit, to execute all unit
tests. The Contractor shall use the Government-provided code coverage toolset to report on unit
testing code coverage. The unit testing and code coverage toolset is integrated with the CI toolset to
provide reports on unit testing. The Contractor shall ensure that required integration points with the
developed code base shall be supported in order to enable the reports in the CI toolset.
The Contractor shall use the Government-provided static code analysis tools, planned to be
SonarQube, and integrate the execution of the analysis with the CI toolset for automated execution
and reporting of results.
The Contractor shall perform code peer reviews and document the results via an electronic medium,
such as a wiki or JIRA, or by using a Government-provided tool if available. The Contractor shall
develop automated test cases using an industry standard automated functional testing toolset, such
as Selenium. An automated test case suite shall be maintained and executed on a regular basis, at
least weekly. The automated testing toolset shall be integrated with the CI toolset to allow for
automated scheduled execution and results reporting.
The Contractor shall support the full lifecycle of integration testing with interface partners, including
test planning, test script creation, data staging, test execution, troubleshooting, and test result
reporting.
16
The Contractor shall support performance testing of the application. The Government is responsible
for performance test creation and execution.
The Contractor shall work to resolve defects and/or performance issues that are identified during
performance test execution. If non-standard technology components are used by the application, the
Contractor shall support the Government during the ICE Technology Reference Model (TRM) and
Information Technology Change Request (ITCR) process. This support shall include documentation
and justification for the need for the specific technology components being used.
9.8 Break-fixes and Security Management

An emergency break-fix action changes the status of a configuration item so as to restore its operational
status. This process permits actions to be taken to restore a configuration item to operational service. These
actions still must follow a change management process, but one that accommodates their high impact and
high urgency. Actions that change the logical or physical characteristics of a configuration item are not
permitted under this process.
9.8.1 Emergency Break-fixes Implementation

• Rebooting a device (e.g., server, appliance, network equipment)
• Restarting one or more services on a device
• Stopping an application on a redundant server (provided that the application is running on another server)
• Clearing or deleting log files to resolve a memory- or disk-full condition not symptomatic of a malware
or denial-of-service attack (does not include adding physical memory or allocating additional storage
space)
• Restoring data from a backup
• Replacing a defective hardware part or device with a part/device of the same make, model, and
configuration (includes replacing defective memory and replacement of like-for-like network
devices/parts/components with no configuration modifications)
• Reinstalling/restoring corrupted software to its previously approved configuration
• Restoring the agreed-upon interconnection security agreement (ISA) configuration for AppAuth trust
must provide change request number(s) that reflect agreed-upon trust configuration
• Support firewall configuration as needed
• Removing any blocker that is preventing a backup from loading
• Allocating additional storage space or reallocating storage space within a system
• Adding memory to a server (physical or virtual) at an approved time and date; The approvals must be
approved by Product Owner, System Owner, and the ITPM.
• Renewing server certificates
9.8.2 Cybersecurity Management

Federal law requires that all government information systems be protected against unauthorized
access or use. The Federal Information Security Management Act (FISMA) is the key cybersecurity
statute and requires Federal agencies to implement organization-wide cybersecurity programs. The
U.S. Department of Homeland Security (DHS) has instantiated FISMA in several organizational
publications.
FISMA and related DHS cybersecurity policies and requirements apply to all information technology
(IT) solutions deployed across DHS. They apply to all IT solutions operated by or on behalf of DHS.
As many Immigration and Customs Enforcement (ICE) information systems are developed or
maintained by contract resources, incorporating cybersecurity requirements into all ICE contracts is
17
a critical component of the overall DHS cybersecurity program.
The Contractor shall work with the System Owner and ITPM to support the new NIST 800-53 r5
controls. At this time, DHS is evaluating the impact of the new controls on the department as a whole
and will formulate a plan for implementation and rollout to the components.
9.9 Software Development Processes and Tools

The Contractor shall use the Government-provided virtual environment including development
workstations, development integration, testing, and production. The Government will provide and
support these environments, which are hosted in cloud service provider infrastructure, currently
AWS. The Government will provide and support the infrastructure.
The Contractor shall support the Government in the stand-up of the environments including
application specific software components, as well as application specific infrastructure
implementations, such as load balancing. The Contractor shall be responsible for shake-out and
validation of each environment.
The Contractor shall use the Government-provided Product Backlog Repository and defect
management tool, currently JIRA, to track user story and task progress.
The Contractor shall use the Government-provided Source Code Version Management tool,
currently Subversion, for version control of the code base.
The Contractor shall use the Government-provided Continuous Integration (CI) toolset, currently
Jenkins, for automated builds and deployments to all environments.
The Contractor shall use an industry standard unit testing library, such as JUnit, to execute all unit
tests. The Contractor shall use the Government-provided code coverage toolset to report on unit
testing code coverage. The unit testing and code coverage toolset is integrated with the CI toolset to
provide reports on unit testing. The Contractor shall ensure that required integration points with the
developed code base shall be supported in order to enable the reports in the CI toolset.
The Contractor shall use the Government-provided static code analysis tools, planned to be
SonarQube, and integrate the execution of the analysis with the CI toolset for automated execution
and reporting of results.
The Contractor shall perform code peer reviews and document the results via an electronic medium,
such as a wiki, JIRA, or using a Government-provided tool if available.
The Contractor shall develop automated test cases using an industry standard automated functional
testing toolset, such as Selenium. The contractor shall maintain and execute an automated test case
suite on a regular basis, at least weekly. The automated testing toolset shall be integrated with the CI
toolset to allow for automated scheduled execution and results reporting.
The Contractor shall support the full lifecycle of integration testing with interface partners, including
test planning, test script creation, data staging, test execution, troubleshooting, and test result
reporting.
The Contractor shall support performance testing of the application. The Government is responsible
18
for performance test creation and execution. The Contractor shall work to resolve defects and/or
performance issues that are identified during performance test execution.
The Contractor shall provide SLM deliverables identified and required by the appropriate SLM phase
to the Project Manager (PM) and ELMS. The contractor shall prepare documentation in accordance
with the guidelines specified by the SLM and the approved Tailoring Plan. During this period of
performance of the system lifecycle, all security activities need to be completed as directed. The
contractor must update the System Security plan, as well as update and test the contingency plan.
Continuous vigilance shall be given to virus and intruder detection. The project team and the IT
Project Manager must be sure that security operating procedures are kept updated accordingly. The
contractor shall review and update documentation from the previous releases. The Contractor shall
deliver draft versions, revised versions, and final versions of required system documents. The
Contractor shall provide deliverables electronically, virus free, and in the acceptable electronic
format mutually agreed upon by the Government and Contractor. The Contractor shall support the
creation and maintenance of Interface Control Agreements (ICAs) for each of the interfaces. The
Contractor shall support the creation and maintenance of the System Design Document (SDD),
Development Test Plan, Development Test Analysis and Results (DTAR), Version Description
Document (VDD), Notice of Intent to Release (NIR), and all other SLM documents identified in the
approved Tailoring Plan.
9.10 Disposition
Disposition is the act of eliminating all or parts of a system to include IT and non-IT system
belongings. Although ICE currently has no plans to dispose of the Information Sharing Course, based
on future developments within the program, the Contractor may be required to initiate disposition
activities. The contractor shall initiate disposition activities in accordance with DHS ICE SLM at the
conclusion of its lifecycle when a determination is made to retire the system.
Disposition activities include but are not limited to:

• Develop a system disposition plan;
• Assist in publishing a notice of deletion in the federal register;
• Retire the system and archive system components, data, and documentation;
• Execute project close out; and
• Coordinate with Contracting Officer’s Representative (COR) to schedule Disposition Review.
10.0 Deliverables
The Contractor shall provide the deliverables identified in Table 2 below throughout the Contract
period of performance.
Table 2: List of Deliverables for Baseline/Core Requirements

Deliverables
Date of ICE Desired
Description Frequency Submission Distribution Format
/ Title
Product Owner,
5 business days Contract Officer, Teams/ MS
Kick-Off Briefing Once after contract award COR, Requirements Word
Owner
19
Initial due 15
calendar days after
Project Management Once and award, Final due 15
Contractor
Plan and High-Level updated as calendar days after Product Owner Decision
Project Roadmap needed the Discovery
period and as
needed
Presented and
briefed at the Product Owner
Product Roadmap Monthly MS Visio
Release Planning Requirements Owner
Meeting
As defined in
developed and As defined in the As required
SLM Documentation Product Owner
approved project schedule by SLM
Roadmap
Electronic copy:
Product Owner,
Quality Assurance 15 calendar days
Once Contract Specialist, MS Word
Plan after award
COR, Requirements
Owner
Configuration
Management Plan & Quality Control
Once Product Owner MS Project
Enterprise Systems Plan
Assurance Plan
Product Owner
120 days prior to end MS Word
Transition-Out Plan Once
of the Contract MS Project
Requirements Owner
10.1 Project Management Plan and High-Level Project Roadmap

The Contractor shall manage and update, as needed, a Project Management Plan. The Contractor
shall provide the first draft of the Project Management Plan and Project Roadmap fifteen (15)
calendar days after Contract award. The final version of the Project Management Plan and Project
Roadmap is due fifteen (15) calendar days after the end of the Initial Planning & Discovery period.
Project roadmaps often include, but are not limited to, these types of components:
• Project goals and objectives;
• Important milestones and tasks;
• Resource allocation;
• Project timeline; and
• Potential risks.
10.2 Product Roadmap

Product roadmaps needs to include high-level strategic initiatives, key upcoming releases, and features which
will be used to drive towards those short-term and long-term goals. The product roadmap communicates the
product’s overall direction to internal and external stakeholders. It is also used to determine priorities and
ensure that plans will support the key business goals.
Product roadmaps needs to include the following types of components:
20
• Product goals
• Strategic initiatives
• Key releases and features that deliver on the goals
• Master features (or epics)
• Major users’ stories or features
• Overall timeline
10.3 System Lifecycle Management (SLM) Deliverables

The Contractor shall provide, manage, and update SLM deliverables as required. The Contractor
shall be responsible for updating, in whole or in part, SLM artifacts. The Contractor shall use ICE
mandated applications, tools, or templates for the editing or creation of all SLM-related
documentation.
10.4 Enterprise Systems Assurance Plan (ESAP)

The ESAP serves as a “how-to” guide for implementing the System Lifecycle Management (SLM)
process. The ESAP provides instructions for carrying out specific quality assurance (QA),
configuration management (CM), requirements management (RM), development testing, and data
architecture activities. It also provides instructions for coordinating with ICE OCIO Systems
Assurance and Technical Architecture and delineates the responsibilities of the activities between
ICE OCIO Systems Assurance and project teams.
The Contractor shall provide, manage, and update ESAP deliverables as required. The Contractor shall be
responsible for updating, in whole or in part, ESAP artifacts. The Contractor shall use ICE mandated
applications, tools, or templates for the editing or creation of all related documentation. As a member of the
Project Team the contractor has the following ESAP responsibilities:
• Conforms to Technical Architecture and established quality standards

• Conducts peer reviews and walkthroughs
• Ensures defects and deficiencies are appropriately identified, reported, and resolved
• Participates in and delivers presentations at SLM Reviews
10.5 Configuration Management

The Contractor shall assist the Government in conducting application-level configuration management for all
changes made to the system. The Contractor shall also assist the Government in handling all requests for
changes to established baselines and configuration management thereof via the ICE approved SCR process,
including the conducting of a system-specific Change Control Board (CCB) as required. The Contractor shall
assign proper identification of all configuration items in accordance with agreed upon conventions.
10.6 Transition-out Plans

The Contractor shall be responsible for the transition of all technical activities identified in this
Contract/Order.
The Contractor shall be responsible for the transition-out of all technical activities identified in this
Contract/Order during the final, awarded period of performance. The Contractor shall submit a
Transition-Out Plan 120 business days following award and120 business days prior to the completion
of the period of performance of this Contract/Order, and shall also make ad hoc updates as requested.
10.7 Kick-Off briefing

21
The Contractor shall present kick-off briefing five (5) business days after contract/order award, to include an
overview of the project team, scope of work, deliverables, transition activities, communication approach,
initial risks, and next steps.
11.0 Key Personnel

The Contractor shall provide contracting support to include an IT Project Manager, Training Content Project
Manager, Senior Technical Application Developer, and Web Designer (Senior Applications Developer).
Requirements shall be in accordance with this Performance Work Statement.
11.1 IT Project Manager (PM) - Level III

Description of Work: The PM shall have the ability to provide oversite and guidance of the
Technical Platform Development as well as all tasks in this requirement. The PM shall have the
capability to manage projects of high complexity and to direct the completion of projects within
estimated timeframes and resource constraints. The PM shall coordinate all parties to tasks and
review work products for completeness, quality, and adherence to customer requirements. The PM
shall be the liaison to the other SMU system teams.
Educational Requirements: The PM shall have a minimum of a Bachelor’s degree.
Experience Requirements: In addition to the educational requirements, the PM shall have a

minimum ten (10) years’ experience as the lead Project Manager for teams using Agile processes
and two (2) years of experience managing successful projects that produced a complex web-based
training environment and a system for managing access by and tracking the activities of over 40,000
users.
Additional Required Knowledge and Skills: The PM shall clearly possess the following
knowledge and skills:
• Ability to use Jira and Confluence for SEVISETA & SETAHELP;
• Ability to manage and mentor team members; and
• Ability to perform administrative tasks, such as SLM documentation as needed, and
reporting.
11.2 Training Content Project Manager (PM)

Description of Work: The Training Content PM shall be the enablement advocate. The Training
Content PM shall understand that pivotal application features require a well-rounded comprehension
on the subject matter and in turn they manage the training content that is purposeful, clear, and
messaged correctly. Training Content PM shall bring a unique perspective to this process. Training
Content PM shall anticipate the needs of the SEVP Community, use that to gain a deeper
understanding of the product, and then determine the best method(s) to educate their audience. These
methods include combinations of public training courses, eLearning content, internal training
sessions, virtual workshops, etc.
Educational Requirements: The Training Content PM shall have a minimum of a Bachelor’s

degree.
Experience Requirements: In addition to the educational requirements, the Training Content PM

shall have two (2) years of experience on a project using Agile methodologies and four (4) years’
experience in the following:
• Using a behavioral science background to deliver web-based training;
22
• Being a certified 508 Tester;

• Creating interactive, visually engaging, and stimulating training; and
• Developing training that has proven to improve the trainee’s learning ability in the area of
the training.
Additional Required Knowledge and Skills: The Training Content PM shall clearly possess the
following knowledge and skills:
• Ability to create and track content projects; and

• Proficiency in Web Design UI/UX guides course development look and feel.
11.3 Sr Technical Application Developer

Description of Work: The Sr Technical Application Developer shall configure and extend the
hosting platform (LMS) and the interaction data capture (LMS and LRS). The Sr Technical
Application Developer shall optimize application design for high performance and high availability.
The Sr Technical Application Developer shall develop and maintain the Jenkins-based CI/CD
pipelines. The Sr Technical Application Developer shall perform PHP and JavaScript development,
Learning Management Administration: architect and maintain application platform. The Sr
Technical Application Developer shall develop and maintain systems documentation.
Educational Requirements: The Sr Technical Application Developer shall have a minimum of a

Bachelor’s degree.
Experience Requirements: In addition to the educational requirements, the Sr Technical

Application Developer shall have two (2) years’ experience on a project using Agile
methodologies and four (4) years’ experience and expertise in component re-use and
maintainability, setting up the application, conducting code reviews and quality assurance, and
software design. The Sr Technical Application Developer shall have experience in Technical
Platform Development.
Additional Required Knowledge and Skills Not Required, but Highly Desirable: The Sr
Technical Application Developer shall have:
▪ Five (5) years’ experience as a systems developer working with large Oracle databases and
supporting web-based applications that support in excess of 10,000 users. As part of this
experience, the architect shall have created and/or maintained the application framework;
and
• Experience in designing an external emulator that can be used to simulate the action of
interfaces, Oracle jobs, and adjudicative decisions to include:
• Creating 508 compliant systems, and
• Two (2) years’ experience with MONGO Amazon or DynamoDB.
11.4 Web Designer/Sr Applications Developer

Description of Work: The Web Designer shall design and build front end for SETA platform,
Learning Management Administration.
Educational Requirements: The Web Designer shall have a minimum of a Bachelor’s degree.
23
Experience Requirements: In addition to the educational requirements, the Web Designer shall
have five (5) years’ experience as primary graphics designer for large web-based projects. The Web
Designer shall have experience in Technical Platform Development.
Additional Required Knowledge and Skills: The Web Designer shall clearly possess the
following knowledge and skills:
▪ Proficient in CSS and JavaScript to add features to course hosting environment, including
administrator functions; and
▪ Web Design User Interface/User Experience: Informs/guides user-centric development for
Content Development.
12.0 General Requirements

12.1 Period of Performance
The period of performance for this requirement consists of one (1) 3-month base period and three
(3) 1-month option periods.
12.2 Place of Performance

The Contractor will be required to provide contract/order support at the Contractor’s operating
facility. At the request of the Government, meeting will be held at the following locations: 2450 and
2451 Crystal Drive, Arlington, VA 22202 and 2070 Chain Bridge Road in Tysons, Virginia.
Telework is authorized once cleared thru the Federal Lead. Telework is allowed due to local or
national emergencies, administrative closings, weather closings, or similar Government directed
closings.
12.3 Hours of Operations

Contractor employees are expected to be available during core hours (8:00 a.m. to 5:00 p.m. Monday
through Friday local time) except on Federal holidays or when the government facility is closed
(http://www.opm.gov/fedhol/index.asp). Work will occur before or after business hours to
accommodate planned maintenance outages required during off-hours and/or to support outages or
incident resolution activities.
12.4 Non-Personal Services

This is a Non-Personal services contract as defined by FAR Subpart 37.101. DHS retains the
authority to make all decisions regarding the DHS mission, and the execution or interpretation of
laws of the United States. Contractor services defined are not considered to be inherently
Governmental in nature, as defined by Federal Acquisition Regulation (FAR) Subpart 7.5
The Government shall neither supervise Contractor employees, nor control the method by which the
Contractor performs the tasks. Under no circumstances shall the Government assign tasks to, or
prepare work schedules for, individual Contractor employees. It shall be the responsibility of the
Contractor to manage its employees and to guard against any actions that are of the nature of personal
services or give the perception of personal services. If the Contractor believes that any actions
constitute, or are perceived to constitute personal services, it shall be the Contractor’s responsibility
to notify the Contracting Officer (CO) or COR immediately.
12.5 Business Relations

The Contractor shall successfully integrate and coordinate all activities needed to execute the tasks.
The Contractor shall manage the timeliness, completeness, and quality of identified issues. The
Contractor shall provide corrective action plans, proposal submittals, timely identification of issues,
24
and effective management of subcontractors. The Contractor shall seek to ensure customer
satisfaction and professional and ethical behavior of all Contractor personnel.
12.6 Contract Management

The Contractor shall establish clear organizational lines of authority and responsibility to ensure
effective management of the resources assigned. The Contractor must maintain continuity between
the support operations and the Contractor’s corporate offices.
12.7 Contract Administration

The Contractor shall establish processes and assign appropriate resources to effectively administer
the contract. The prime Contractor will manage work distribution to ensure there is no Organizational
Conflicts of Interest (OCI) but will promptly notify the Government when such a situation occurs
and provide the CO with the associated mitigation plan. The Contractor shall respond to Government
requests for contractual actions in a timely fashion. The Contractor shall assign work effort and
maintain proper and accurate time-keeping records of personnel assigned to work under this task.
12.8 Subcontract Management

The Contractor shall be responsible for any subcontract management necessary to integrate work
performed under this task and shall be responsible and accountable for subcontractor performance.
Upon approval from the CO and COR, Contractors may add subcontractors to their team.
12.9 Organizational Conflict of Interest (OCI)

Pursuant to Federal Acquisition Regulation (FAR) 9.5 and HSAR 3052.209-72, the Contractor shall
manage work distribution to ensure there are no OCI. The Contractor shall promptly notify the
Government when such a situation occurs and provide the CO with the associated mitigation plan.
12.10 Invoicing
In accordance with the terms and conditions of the contract/order, the Contractor shall submit
invoices and supporting documentation by the 15th of the following month. Each monthly invoice
shall be submitted in sufficient detail, with costs segregated at the project and Contract Line Item
Number (CLIN) level.
12.11 Government Furnished Equipment (GFE)/Government Furnished Property (GFP)

The Government will provide the Contractor with basic equipment and property (e.g., laptops,
desktops, monitors (as needed), and mobile smart phones). The Government will provide access to
ICE mandated tools such as JIRA, Remedy, and other applications as needed for this effort. ICE
reserves the right to add, delete, or modify at its discretion any hardware or software at any time
during contract/order performance, based upon what in ICE’s judgment is necessary to most
effectively and efficiently perform the mission.
All GFE/GFP provided to the Contractor to perform work under this Contract shall be returned to
the Government at the end of the period of performance. The Contractor shall keep an inventory of
GFE/GFP, which shall be made available to the COR or CO upon request in a PDF format. All
GFE/GFP shall be entered into ICE’s Property Inventory System (Sunflower) within 48 hours of
receipt. The Contractor shall ensure that all GFE/GFP provided for their use shall be secured.
The Contractor shall manage, maintain, and control all GFE/GFP in support of this contract and
subsequent Contracts in accordance with the clause at FAR 52.245-1.
12.12 Government Furnished Information (GFI)

25
The Government will provide Government Furnished Information (GFI) (e.g., technical data,
applicable documents, plans, regulations, specifications, etc.) in support of this task. ICE expressly
reserves the right to add, delete, or modify at its exclusive discretion any access rights at any time
during contract/order performance, based upon what in ICE’s judgment is necessary to most
effectively and efficiently perform the missions.
The Government will provide the Contractor with access to all computer and network hardware and
software necessary to fulfill the requirements of this task, including ancillary environments, such as
the ICE Help Desk trouble ticketing environment. The Contractor shall ensure that all GFI provided
for their use shall be secured. All training materials, policies, procedures, timelines, electronic work
products, and/or other documentation created in support of this task and/or provided by the
Government are the property of the Government.
12.13 Security and Privacy

Contractor personnel performing work under this Contract will be required to obtain a favorable
preliminary fitness determination and final fitness determination from the ICE Personnel Security
Unit. The level of security is designated as Sensitive But Unclassified (SBU).
REQUIRED SECURITY LANGUAGE FOR

SENSITIVE /BUT UNCLASSIFED (SBU) CONTRACTS
SECURITY REQUIREMENTS
GENERAL
The United States Immigration and Customs Enforcement (ICE) has determined that performance
of the tasks as described in Contract requires that the Contractor, subcontractor(s), vendor(s), etc.
(herein known as Contractor) have access to sensitive DHS information, and that the Contractor will
adhere to the following.
PRELIMINARY FITNESS DETERMINATION
ICE will exercise full control over granting, denying, withholding or terminating unescorted
government facility and/or sensitive Government information access for Contractor employees,
based upon the results of a Fitness screening process. ICE may, as it deems appropriate, authorize
and make a favorable expedited preliminary Fitness determination based on preliminary security
checks. The preliminary Fitness determination will allow the contractor employee to commence
work temporarily prior to the completion of a Full Field Background Investigation. The granting of
a favorable preliminary Fitness shall not be considered as assurance that a favorable final Fitness
determination will follow as a result thereof. The granting of preliminary Fitness or final Fitness
shall in no way prevent, preclude, or bar the withdrawal or termination of any such access by ICE,
at any time during the term of the contract. No employee of the Contractor shall be allowed to enter
on duty and/or access sensitive information or systems without a favorable preliminary Fitness
determination or final Fitness determination by the Office of Professional Responsibility, Personnel
Security Unit (OPR-PSU). No employee of the Contractor shall be allowed unescorted access to a
Government facility without a favorable preliminary Fitness determination or final Fitness
determination by OPR-PSU. Contract employees are processed under DHS Instruction 121-01-007-
001 (Personnel Security, Suitability and Fitness Program), or successor thereto. Those Contract
employees having direct contact with Detainees will also have 6 CFR § 115.117 considerations made
as part of the Fitness screening process. (Sexual Abuse and Assault Prevention Standards)
26
implemented pursuant to Public Law 108-79 (Prison Rape Elimination Act (PREA) of 2003).
BACKGROUND INVESTIGATIONS
Contractor employees (to include applicants, temporaries, part-time and replacement employees)
under the contract, needing access to sensitive information and/or ICE Detainees, shall undergo a
position sensitivity analysis based on the duties each individual will perform on the contract. The
results of the position sensitivity analysis shall identify the appropriate background investigation to
be conducted. Background investigations will be processed through the Personnel Security Unit.
Contractor employees nominated by a Contracting Officer Representative (COR) for consideration
to support this contract shall submit the following security vetting documentation to OPR-PSU,
through the COR, within 10 days of notification by OPR-PSU of nomination by the COR and
initiation of an Electronic Questionnaire for Investigation Processing (e-QIP) in the Office of
Personnel Management (OPM) automated on-line system.
1. Standard Form 85P (Standard Form 85PS (with supplement to 85P required for armed
positions)), “Questionnaire for Public Trust Positions” Form completed on-line and archived by
the contractor employee in their OPM e-QIP account.
2. Signature Release Forms (three total) generated by OPM e-QIP upon completion of
Questionnaire (e-signature recommended/acceptable – instructions provided to applicant by
OPR-PSU). Completed on-line and archived by the Contractor employee in their OPM e-QIP
account.
3. Two (2) SF 87 (Rev. December 2017) Fingerprint Cards. (Two Original Cards sent via COR to
OPR-PSU).
4. Foreign National Relatives or Associates Statement. (This document sent as an attachment in an

e-mail to Contractor employee from OPR-PSU – must be signed and archived into Contractor
employee’s OPM e-QIP account prior to electronic “Release” of data via on-line account).
5. DHS 11000-9, “Disclosure and Authorization Pertaining to Consumer Reports Pursuant to the
Fair Credit Reporting Act” (This document sent as an attachment in an e-mail to Contractor
employee from OPR-PSU – must be signed and archived into Contractor employee’s OPM e-
QIP account prior to electronic “Release” of data via on-line account).
6. Optional Form 306 Declaration for Federal Employment (This document sent as an attachment
in an e-mail to contractor employee from OPR-PSU – must be signed and archived into
Contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line
account).
7. If occupying PREA designated position: Questionnaire regarding conduct defined under 6 CFR
§ 115.117 (Sexual Abuse and Assault Prevention Standards) (This document sent as an
attachment in an e-mail to Contractor employee from OPR-PSU – must be signed and archived
into Contractor employee’s OPM e-QIP account prior to electronic “Release” of data via on-line
account).
8. One additional document may be applicable if Contractor employee was born abroad. If
applicable, additional form and instructions will be provided to Contractor employee. (If
27
applicable, the document will be sent as an attachment in an e-mail to Contractor employee from
OPR-PSU – must be signed and archived into Contractor employee’s OPM e-QIP account prior
to electronic “Release” of data via on-line account).
Contractor employees who have an adequate, current investigation by another Federal Agency may
not be required to submit complete security packages; rather, the investigation may be accepted
under reciprocity. The questionnaire related to 6 CFR § 115.117 listed above in item 7 will be
required for positions designated under PREA.
An adequate and current investigation is one where the investigation is not more than five (5) years
old, meets the contract risk level requirement, and where the applicant has not had a break in service
of more than two (2) years. (Executive Order 13488 amended under Executive Order 13764/DHS
Instruction 121-01-007-01).
Required information for submission of the security packet will be provided by OPR-PSU at the time
of award of the contract. Only complete packages will be accepted by the OPR-PSU as notified by
the COR.
To ensure adequate background investigative coverage, Contractor employees must currently reside
in the United States or its Territories. Additionally, Contractor employees are required to have
resided within the Unites States or its Territories for three or more years out of the last five (ICE
retains the right to deem a contractor employee ineligible due to insufficient background coverage).
This timeline is assessed based on the signature date of the standard form questionnaire submitted
for the applied position. Contractor employees falling under the following situations may be exempt
from the residency requirement: 1) work or worked for the U.S. Government in foreign countries in
federal civilian or military capacities; 2) were or are dependents accompanying a federal civilian or
a military employee serving in foreign countries so long as they were or are authorized by the U.S.
Government to accompany their federal civilian or military sponsor in the foreign location; 3)
worked as a contractor employee, volunteer, consultant, or intern on behalf of the federal government
overseas, where stateside coverage can be obtained to complete the background investigation; 4)
studied abroad at a U.S. affiliated college or university; or 5) have a current and adequate background
investigation (commensurate with the position risk/sensitivity levels) completed for a federal or
contractor employee position, barring any break in federal employment or federal sponsorship.
Only U.S. Citizens and Legal Permanent Residents are eligible for employment on contracts
requiring access to DHS sensitive information unless an exception is granted as outlined under DHS
Instruction 121-01-007-001. Per DHS Sensitive Systems Policy Directive 4300A, only U.S. citizens
are eligible for positions requiring access to DHS Information Technology (IT) systems or positions
that are involved in the development, operation, management, or maintenance of DHS IT systems,
unless an exception is granted as outlined under DHS Instruction 121-01-007-001.
TRANSFERS FROM OTHER DHS CONTRACTS:
Contractor employees may be eligible for transfer from other DHS Component contracts provided
they have an adequate and current investigation meeting the new assignment requirement. If the
Contractor employee does not meet the new assignment requirement, a DHS 11000-25 with ICE
supplemental page will be submitted to OPR-PSU to initiate a new investigation.
Transfers will be accomplished by submitting a DHS 11000-25 with ICE supplemental page
28
indicating “Contract Change.” The questionnaire related to 6 CFR § 115.117 listed above in item 7
will be required for positions designated under PREA.
CONTINUED ELIGIBILITY
ICE reserves the right and prerogative to deny and/or restrict facility and information access of any
contractor employee whose actions conflict with Fitness standards contained in DHS Instruction
121-01-007-01, Chapter 3, paragraph 6.B or who violate standards of conduct under 6 CFR §
115.117. The Contracting Officer or their representative can determine if a risk of compromising
sensitive Government information exists or if the efficiency of service is at risk and may direct
immediate removal of a Contractor employee from contract support. The OPR-PSU will conduct
periodic reinvestigations every five (5) years, or when derogatory information is received, to evaluate
continued Fitness of contractor employees.
REQUIRED REPORTS
The Contractor will notify OPR-PSU, via the COR, of all terminations/resignations of Contractor
employees under the contract within five (5) days of occurrence. The Contractor will return any
expired ICE issued identification cards and building passes of terminated/ resigned employees to the
COR. If an identification card or building pass is not available to be returned, a report must be
submitted to the COR referencing the pass or card number, name of individual to whom it was issued,
and the last known location and disposition of the pass or card. The COR will return the identification
cards and building passes to the responsible ID Unit.
The Contractor will report any adverse information coming to their attention concerning Contractor
employees under the contract to the OPR-PSU, via the COR, as soon as possible. Reports based on
rumor or innuendo should not be made. The subsequent termination of employment of an employee
does not obviate the requirement to submit this report. The report shall include the Contractor
employee’s name and social security number, along with the adverse information being reported.
The Contractor will provide, through the COR, a Quarterly Report containing the names of
Contractor employees who are active, pending hire, have departed within the quarter, and have had
a legal name change (submitted with documentation). The list shall include the names, positions, and
last four of each employee’s SSN. The list shall be derived from system(s) used for the Contractor’s
payroll/voucher processing to ensure accuracy.
CORs will submit reports to psu-industrial-security@ice.dhs.gov
Contractors, who are involved with management and/or use of information/data deemed “sensitive”
(to include “law enforcement sensitive”) are required to complete the DHS Form 11000-6-Sensitive
but Unclassified Information NDA for Contractor access to sensitive information. The NDA will be
administered by the COR to the all Contractor personnel within ten (10) calendar days of the entry
on duty date. The completed form shall remain on file with the COR for purpose of administration
and inspection.
Sensitive information as defined under the Computer Security Act of 1987, Public Law 100-235 is
information not otherwise categorized by statute or regulation that if disclosed could have an adverse
impact on the welfare or privacy of individuals or on the welfare or conduct of Federal programs or
other programs or operations essential to the national interest. Examples of sensitive information
include personal data such as: Social Security numbers; trade secrets; system vulnerability
29
information; pre-solicitation procurement documents, such as statements of work; and information

pertaining to law enforcement investigative methods. Similarly, detailed reports related to computer
security deficiencies in internal controls are also sensitive information because of the potential
damage that could be caused by the misuse of this information. All sensitive information must be
protected from loss, misuse, modification, and unauthorized access in accordance with DHS
Management Directive 11042.1, DHS Policy for Sensitive Information and ICE Policy 4003,
Safeguarding Law Enforcement Sensitive Information.
Any unauthorized disclosure of information should be reported to ICE.ADSEC@ICE.dhs.gov.
SECURITY MANAGEMENT
The Contractor shall appoint a senior official to act as the Corporate Security Officer. The individual
will interface with the OPR-PSU through the COR on all security matters, to include physical,
personnel, and protection of all Government information and data accessed by the Contractor.
The COR and the OPR-PSU shall have the right to inspect the procedures, methods, and facilities
utilized by the Contractor in complying with the security requirements under this contract. Should
the COR determine that the Contractor is not complying with the security requirements of this
contract, the Contractor will be informed in writing by the Contracting Officer of the proper action
to be taken in order to effectuate compliance with such requirements.
INFORMATION TECHNOLOGY SECURITY CLEARANCE
When sensitive government information is processed on Department telecommunications and

automated information systems, the Contractor agrees to provide for the administrative control of
sensitive data being processed and to adhere to the procedures governing such data as outlined in
DHS MD 4300.1, Information Technology Systems Security, or its replacement. Contractor
employees must have favorably adjudicated background investigations commensurate with the
defined sensitivity level.
Contractor employees who fail to comply with Department security policy are subject to having their
access to Department IT systems and facilities terminated, whether or not the failure results in
criminal prosecution. Any person who improperly discloses sensitive information is subject to
criminal and civil penalties and sanctions under a variety of laws (e.g., Privacy Act).
INFORMATION TECHNOLOGY SECURITY TRAINING AND OVERSIGHT
In accordance with Chief Information Office requirements and provisions, all contractor employees
accessing Department IT systems or processing DHS sensitive data via an IT system will require an
ICE issued/provisioned Personal Identity Verification (PIV) card. Additionally, Information
Assurance Awareness Training (IAAT) will be required upon initial access and annually thereafter.
IAAT training will be provided by the appropriate component agency of DHS.
Contractor employees, who are involved with management, use, or operation of any IT systems that
handle sensitive information within or under the supervision of the Department, shall receive
periodic training at least annually in security awareness and accepted security practices, systems
rules of behavior, to include Unauthorized Disclosure Training, available on PALMS or by
contacting ICE.ADSEC@ICE.dhs.gov. Department Contractor employees, with significant security
responsibilities, shall receive specialized training specific to their security responsibilities annually.
30
The level of training shall be commensurate with the individual’s duties and responsibilities and is
intended to promote a consistent understanding of the principles and concepts of telecommunications
and IT systems security.
All personnel who access Department information systems will be continually evaluated while
performing these duties. System Administrators should be aware of any unusual or inappropriate
behavior by personnel accessing systems. Any unauthorized access, sharing of passwords, or other
questionable security procedures should be reported to the local Security Office or Information
System Security Officer (ISSO).
PRIVACY REQUIREMENTS FOR CONTRACTOR AND PERSONNEL
Limiting Access to Privacy Act and Other Sensitive Information
In accordance with FAR 52.224-1 Privacy Act Notification (APR 1984), and FAR 52.224-2 Privacy
Act (APR 1984), if this contract requires Contractor personnel to have access to information
protected by the Privacy Act of 1974, the Contractor is advised that the relevant DHS system of
records notices (SORNs) applicable to this Privacy Act information may be found at
https://www.dhs.gov/system-records-notices-sorns. Applicable SORNS of other agencies may be
accessed through the agencies’ websites or by searching GovInfo, available at
https://www.govinfo.gov that replaced the FDsys website in December 2018. SORNs may be
updated at any time.
Prohibition on Performing Work Outside a Government Facility/Network/Equipment
The Contractor shall perform all tasks on authorized Government networks, using Government-
furnished IT and other equipment and/or Workplace as a Service (WaaS) if WaaS is authorized by
the statement of work. Government information shall remain within the confines of authorized
Government networks at all times. Except where telework is specifically authorized within this
contract, the Contractor shall perform all tasks described in this document at authorized Government
facilities. The Contractor is prohibited from performing these tasks at, or removing Government-
furnished information from, any other facility. Government information shall remain within the
confines of authorized Government facilities at all times. Contractors may only access classified
materials on government furnished equipment in authorized government owned facilities regardless
of telework authorizations.
Prior Approval Required to Hire Subcontractors
The Contractor is required to obtain the Contracting Officer's approval prior to engaging in any
contractual relationship (Subcontractor) in support of this contract requiring the disclosure of
information, documentary material and/or records generated under or relating to this contract. The
Contractor (and any Subcontractor) is required to abide by Government and Agency guidance for
protecting sensitive and proprietary information.
Separation Checklist for Contractor Employees
Contractor shall complete a separation checklist before any employee or Subcontractor employee
terminates working on the contract. The separation checklist must verify: (1) return of any
Government-furnished equipment; (2) return or proper disposal of sensitive personally identifiable
31
information (PII), in paper or electronic form, in the custody of the employee or Subcontractor
employee including the sanitization of data on any computer systems or media as appropriate; and
(3) termination of any technological access to the Contractor’s facilities or systems that would permit
the terminated employee’s access to sensitive PII.
In the event of adverse job actions resulting in the dismissal of an employee or Subcontractor
employee, the Contractor shall notify the Contracting Officer’s Representative (COR) within 24
hours. For normal separations, the Contractor shall submit the checklist on the last day of
employment or work on the contract.
As requested, contractors shall assist the ICE Point of Contact (ICE/POC), Contracting Officer, or
COR with completing ICE Form 50-005/Contractor Employee Separation Clearance Checklist by
returning all Government-furnished property including but not limited to computer equipment,
media, credentials and passports, smart cards, mobile devices, PIV cards, calling cards, and keys and
terminating access to all user accounts and systems.
Contractor’s Commercial License Agreement and Government Electronic Information Rights
Except as stated in the Performance Work Statement and, where applicable, the Contractor’s
Commercial License Agreement, the Government Agency owns the rights to all electronic
information (electronic data, electronic information systems or electronic databases) and all
supporting documentation and associated metadata created as part of this contract. All deliverables
(including all data and records) under the contract are the property of the U.S. Government and are
considered federal records, for which the Agency shall have unlimited rights to use, dispose of, or
disclose such data contained therein. The Contractor must deliver sufficient technical documentation
with all data deliverables to permit the agency to use the data.
Privacy Lead Requirements
If the contract involves an IT system build or substantial development or changes to an IT system

that may require privacy documentation, the Contractor shall assign or procure a Privacy Lead, to
be listed under the SOW or PWS’s required Contractor Personnel section. The Privacy Lead shall
be responsible for providing adequate support to DHS to ensure DHS can complete any required
PTA, PIA, SORN, or other supporting documentation to support privacy compliance. The Privacy
Lead shall work with personnel from the program office, the ICE Privacy Unit, the Office of the
Chief Information Officer, and the Records and Data Management Unit to ensure that the privacy
documentation is kept on schedule, that the answers to questions in the PIA are thorough and
complete, and that questions asked by the ICE Privacy Unit and other offices are answered in a
timely fashion.
The Privacy Lead:

• Must have excellent writing skills, the ability to explain technology clearly for a non-technical
audience, and the ability to synthesize information from a variety of sources;
• Must have excellent verbal communication and organizational skills;
• Must have experience writing PIAs. Ideally the candidate would have experience writing PIAs for
DHS;
• Must be knowledgeable about the Privacy Act of 1974 and the E-Government Act of 2002; and
• Must be able to work well with others.
32
If a Privacy Lead is already in place with the program office and the contract involves IT system
builds or substantial changes that may require privacy documentation, the requirement for a separate
Private Lead specifically assigned under this contract may be waived provided the Contractor agrees
to have the existing Privacy Lead coordinate with and support the ICE Privacy POC to ensure privacy
concerns are proactively reviewed and so ICE can complete any required PTA, PIA, SORN, or other
supporting documentation to support privacy compliance if required. The Contractor shall work
with personnel from the program office, the ICE Office of Information Governance and Privacy, and
the Office of the Chief Information Officer to ensure that the privacy documentation is kept on
schedule, that the answers to questions in any privacy documents are thorough and complete, that all
records management requirements are met, and that questions asked by the ICE Privacy Unit and
other offices are answered in a timely fashion.
12.14 Cybersecurity Language for High Risk Contracts
ITAR 4.5.3.1 - Compliance with DHS Security Policy Terms and Conditions: All hardware,
software, and services provided under this Contract must be compliant with DHS 4300A DHS
Sensitive System Policy and DHS 4300A Sensitive Systems Handbook.
ITAR 4.5.3.4 - Security Review Terms and Conditions:
The Government may elect to conduct periodic reviews to ensure that the security requirements
contained in this contract are being implemented and enforced. The Contractor shall afford ICE,
including the organization of ICE Office of the Chief Information Officer, the Office of the Inspector
General, authorized Contracting Officer’s Representative (COR), and other government oversight
organizations, access to the Contractor's facilities, installations, operations, documentation,
databases, and personnel used in the performance of this contract. The Contractor will contact ICE
Chief Information Security Officer to coordinate and participate in the review and inspection activity
of government oversight organizations external to ICE. Access shall be provided to the extent
necessary for the government to carry out a program of inspection, investigation, and audit to
safeguard against threats and hazards to the integrity, availability, and confidentiality of ICE data or
the function of computer system operated on behalf of ICE, and to preserve evidence of computer
crime.
White House Digital Government BYODTK – Privacy Expectations:
Government Contractor employees do not have a right, nor should they have an expectation, of
privacy while using Government provided devices at any time, including accessing the Internet and
using e-mail and voice communications. To the extent that employees wish that their private
activities remain private, they should avoid using the Government provided device for limited
personal use. By acceptance of the government provided device, employees imply their consent to
disclosing and/or monitoring of device usage, including the contents of any files or information
maintained or passed through that device.
33
Attachment A: List of Acronyms
Acronym Definition
Amazon EFS Amazon Elastic File System
API Application Programming Interface
ARO Alternate Responsible Officers
ATO Authority to Operate
CAP Contractor Acquired Property
CBP Customs and Border Protection
CDR Critical Design Review
CLIN Contract Line Item Number
CO Contracting Officer
ConOps Concept of Operations
COR Contracting Officer’s Technical Representative
COTS Commercial Off the Shelf Software
CP Contingency Plan
CR Change Request
CSO Chief Security Officer
DD Design Document
DHS Department of Homeland Security
DISCO Defense Industrial Security Clearance Office
DMZ Demilitarized Zone
DoS Department of State
EA Enterprise Architecture
EAR Enterprise Archive
EDMO Enterprise Data Management Office
EIT Electronic Information Technology
ELMS Electronic Lifecycle Management System
EOD Enter on Duty
ESB Enterprise Service Bus
EV Exchange Visitor
FAR Federal Acquisition Regulation
FTR Federal Travel Regulation
GFE Government-furnished Equipment
GFI Government-furnished Information
GFP Government-furnished Property
HA High Availability
HSAM Dept. of Homeland Security Acquisition Manual
HSAR Dept. of Homeland Security Acquisition Regulation
ICA Interface Control Agreement
ICCB Infrastructure Change Control Board
ICE Immigration & Customs Enforcement
IOC Initial Operating Capability
IIRIRA Illegal Immigrant Reform and Responsibility Act
ISA Interconnection Security Agreement
ISO Information System Owner
ISSO Information Systems Security Officer
34
IT Information Technology
ITPM Information Technology Project Manager
LMS Learning Management System
LRS Learning Record Store
MIS Management Information System
MD Management Directive
NIR Notice of Intent to Release
NIST National Institute of Science and Technology
OCI Organizational Conflict of Interest
ODC Other Direct Cost
OCIO Office of the Chief Information Officer
OMB Office of Management and Budget
O&M Operations and Maintenance
ORD Operational Requirements Document
PCII Protected Critical Infrastructure Information
PO Product Owner
POA&M Plan of Actions and Milestones
POE Ports of Entry
PoP Period of Performance or Place of Performance
PTP Project Tailoring Plan
PWS Performance Work Statement
QASP Quality Assurance Surveillance Plan
QCP Quality Control Plan
RO Responsible Officer
RBAC Role Based Access Control
RTM Requirements Traceability Matrix
SBU Sensitive But Unclassified
SCI Sensitive Compartmented Information
SCIF Sensitive Compartmented Information Facility
SCORM Sharable Content Object Reference Model
SCR System Change Request
SDD Systems Development Division
SEB System Engineering Branch
SEVIS Student & Exchange Visitor Information System
SEVP Student & Exchange Visitor Program
SLA Service Level Agreement
SLM Systems Lifecycle Management
SPOC Single Point of Contact
SRD Systems Requirements Document
SRTM Security Requirements Traceability Matrix
SSI Sensitive Security Information
SSL Secure Sockets Layer
SWAD System Workload Analysis Document
TCM Test Coverage Matrix
TO Task Order
TRM Technical Reference Model
TTC Technology Transformation Committee
35
UAT User Acceptance Testing

VDD Version Description Document
VPN Virtual Private Network
WSDL Web Services Description Language
XML Extensible Markup Language
36
Attachment B: Performance Requirements Summary
Automated Test Scripts

Performance Standard: Minimize cost of regression, FQT, and Release OTE by providing
automated test sets.
Performance Measurement: This metric will be measured by computing the percentage of
requirements tested using automated scripts as compared to the total number designated as
“requires automated testing” in the requirements management system. During each Release
Planning activity, the requirements management application (e.g., Jira) will be used to
maintain the record of how the functional areas will be tested.
The percentage of automated test scripts that are developed by key milestones in the
development lifecycle, i.e. % Requirement Automatically Tested = [Number of Requirements
verified / Number of Requirements expected to be automated per Automatable Script Matrix]
x 100
Method of Surveillance: 100% inspection of Requirement Traceability Matrix [Test

Method] and online report of all test results, scripts, and test coverage. The DTAR will be
updated and delivered online just prior to the Test Readiness Review and will constitute the
results of this performance metric.
Rating Description
Excellent ≥95% of all User Stories having automated test scripts
Good 80% of all User Stories having automated test scripts
Satisfactory 70% of all User Stories having automated test scripts
Unsatisfactory Less than 70% of all User Stories having automated test scripts
37
Sprint Effectiveness
Performance Standard: Sprint effectiveness shall include a logical progression of
functionality that is tied to the release structure which supports continuous improvement of
functionality. Each sprint planning session shall “bucket” user stories into meaningful sets of
functionality that is SEVP and OCIO approved. The sprint shall implement the number of user
stories planned for the Sprint. The user story must include an identifier which ties to the
requirements, level of effort, story points, acceptance criteria, and be aligned to the
respective epics/business process.
Performance Measurement: 100*[Number of User Stories completed per Sprint/ [Number of

User Stories planned for the Sprint]
Method of Surveillance: 100% inspection of Sprint Completion is based on the

acceptance Criteria Results
Rating Description
Excellent >= 100% of User Stories successfully passing Sprint Integration

testing.
Good <100% and ≥90% of User Stories successfully passing Sprint

Integration testing.
Satisfactory <90% and ≥80% of User Stories successfully passing Sprint

Integration testing.
Unsatisfactory <80% of User Stories successfully passing Sprint Integration

testing.
38
Standards Compliance
Performance Standard: Adherence and compliance with DHS and ICE Architecture and
System Lifecycle Management (SLM) standards for activities performed during this
performance period. This measure assumes that the agile-development variants or agile-
tailored SLM documents will be used. Each SLM document deliverable is reviewed prior
by the ICE Team for compliance; thus, acceptance shall be taken to indicate compliance.
The definition of “defects” is taken from the Enterprise System Assurance Plan v.2.2 p. 12:
High: Applies to content that impacts the scope of the project. Failure to revise
and address appropriately may introduce significant risk to the project that
negatively impacts the ability of the project to meet cost, schedule, and/or
quality objectives. High severity deficiencies must be resolved for the
deliverable to fulfill its intent, achieve acceptance, and meet documentation
standards. High severity issues must be resolved before progressing to the next
SLM Stage.
Medium: Applies to content that detracts from the reader’s ability to
comprehend the item and how the project will address it. Medium issues
typically do not prevent formal acceptance of a deliverable; however, resolving
medium severity deficiencies improves product quality and clarity, which
increases deliverable value and reduces project risk. “Medium” severity issues
should be resolved during the next planned release/revision of the documents
but no later than the Production Readiness Review (PRR).
Low: Minor issues can be resolved in a timeframe convenient to the project
team, usually during the next planned release or revision of a document. SLM
document assessment SMEs do not mark low issues as they do not affect the
progression of the system through the SLM process.
Performance Measurement: Percentage of SLM document deliverables with various levels of

defects found during review.
Method of Surveillance: 100% Review all SLM document contract deliverables.
Rating Description
Excellent ≥90% of document deliverables have no High or Medium defects

from the first review cycle.
Good ≥90% of document deliverables have no High defects and ≥80%

have no Medium defects in the first review cycle.
Satisfactory ≥80% of document deliverables with No High defects and ≥75%

with no Medium defects in first review cycle.
Unsatisfactory <80% of document deliverables have no High defects and <75%

have no Medium defects in first review cycle
39
Effectiveness of Change Implementation.

Performance Standard: Minimize defects introduced during current Sprint into completed
Story code from previous Sprints. The goal is to ensure that changes to the code base do not
“break” previously accepted functionality. The agile approach promotes refactoring, but such
refactoring should not leave new defects in the baseline by the end of the given Sprint: such
new defects should be resolved by Sprint completion. These defects would be identified in
regression testing at Sprint completion.
Performance Measurement: 100*[Stories from previous Sprint(s) without new defects] /

[Total Number of Stories from previous Sprint(s)]
Method of Surveillance: 100% inspection of regression test results at Sprint Completion.
Rating Description
Excellent ≥90% of previous Sprint Story functionality passes Sprint-end

regression tests without new defects.
Good <90% and ≥80% of previous Sprint Story functionality passes

Sprint-end regression tests without new defects
Satisfactory <80% and ≥70% of previous Sprint Story functionality passes

Sprint-end regression tests without new defects
Unsatisfactory <70% of previous Sprint Story functionality passes Sprint-end

regression tests without new defects
40

2.2.1 Attachment B - PWS - Final

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2.2.1 Attachment B - PWS - Final

Uploaded by

Copyright:

Available Formats

Procurement Sensitive

Performance Work Statement

U.S. Immigration and Customs Enforcement (ICE)

PROCUREMENT SENSITIVE INFORMATION

Attachment B: Performance Requirements Summary .................................................................37

PROCUREMENT SENSITIVE INFORMATION

Performance Work Statement

3.0 Scope of Work

4.0 Roles and Responsibilities

the Security Area Manager, IAD.

5.0 Technical Overview

5.1 System Description

5.2 Internal Interfaces

Table 1. Internal System Interfaces

6.0 DHS Enterprise Architecture Compliance

of whether the acquisition is for modification, upgrade, or replacement. All EA-related

7.0 SETA Environments Overview

9.1 O&M Support

9.2 Project Management

9.3 Maintain Data / Software Administration

• SEVP’s governing regulations for students and schools - https://www.ice.gov/sevis/schools/reg

• e-CFR: Exchange Visitor Program – http://www.ecfr.gov/cgi-

• SEVP Final Guidance1 - https://studyinthestates.dhs.gov/sevp-guidance-for-comment

9.4 Identify Problem and Modification Process

9.5 Requirements Analysis Management

The Contractor shall:

9.6 User Management

9.7 Maintain System / Software

The SETA application shall have an overall availability of 99.995%.

9.8 Break-fixes and Security Management

9.8.1 Emergency Break-fixes Implementation

9.8.2 Cybersecurity Management

a critical component of the overall DHS cybersecurity program.

9.9 Software Development Processes and Tools

Disposition activities include but are not limited to:

Table 2: List of Deliverables for Baseline/Core Requirements

10.1 Project Management Plan and High-Level Project Roadmap

10.2 Product Roadmap

Product roadmaps needs to include the following types of components:

10.3 System Lifecycle Management (SLM) Deliverables

10.4 Enterprise Systems Assurance Plan (ESAP)

• Conforms to Technical Architecture and established quality standards

10.5 Configuration Management

10.6 Transition-out Plans

10.7 Kick-Off briefing

11.0 Key Personnel

11.1 IT Project Manager (PM) - Level III

Educational Requirements: The PM shall have a minimum of a Bachelor’s degree.

Experience Requirements: In addition to the educational requirements, the PM shall have a

11.2 Training Content Project Manager (PM)

Educational Requirements: The Training Content PM shall have a minimum of a Bachelor’s

Experience Requirements: In addition to the educational requirements, the Training Content PM

• Being a certified 508 Tester;

• Ability to create and track content projects; and

11.3 Sr Technical Application Developer

Educational Requirements: The Sr Technical Application Developer shall have a minimum of a

Experience Requirements: In addition to the educational requirements, the Sr Technical

11.4 Web Designer/Sr Applications Developer

12.0 General Requirements

12.2 Place of Performance

12.3 Hours of Operations

12.4 Non-Personal Services