STATEMENT OF WORK
CYBERCIEGE IDENTITY AGGREGATION SCENARIOS
The Department of Computer Science, Center for Information Systems Security
Studies and Research (CISR), Naval Postgraduate School (NPS), Monterey, CA is
performing analysis on systems and procedures utilized by Defense Manpower
Data Center (DMDC) to manage DoD identity information. The analysis is
producing a set of “lessons learned”. One or more CyberCIEGE
(http://cisr.nps.edu/cyberciege/) scenarios will be developed to illustrate some
of these lessons, particularly as they relate to risks to the secrecy, integrity, or,
possibly, the availability of individual mission data through identity aggregation
or database corruption.
This work requires the expertise of professional engineers with broad experience
in the field of information assurance and network security and expertise in the
development of CyberCIEGE scenarios and the implementation of the
CyberCIEGE game engine.
The contractor shall provide technical support and subject matter expertise for
creating CyberCIEGE scenarios to illustrate identity aggregation and to make
modifications to the game engine as required.
3.0 CONTRACTOR REQUIREMENTS
The contractor shall have proven experience and expertise in:
Systems security engineering
Network security architecture and design
High assurance evaluation criteria
Architecting high assurance secure computer and network products
Developing network security education tools
Familiarity with the programming architecture of the CyberCIEGE game
Development of CyberCIEGE scenarios using the Scenario Development
Under all 4.0 tasks, the contractor shall be responsible for providing an individual
with a minimum of 10-15 years experience in developing secure computing
systems. This individual shall have proven experience programming such systems
using C, C++, and Java. This individual shall also have experience engineering
highly complex gaming scenarios for teaching network systems security, as well
as experience using the CyberCIEGE Scenario Development Tool.
4.1 Identity Aggregation Scenario Development
One or more CyberCIEGE scenarios will be developed to illustrate risks
associated with maintaining the secrecy of operational roles of individuals. For
example, a scenario may reflect the risks to an operational user if, while
performing within the operational role within a public space, the user contacts
family or friends via observable means. Another example is the risk of including
confidential identification information within generally accessed databases. A
related risk might include the failure to include a suitable “cover story” within
generally accessible databases for individuals whose actual operational missions
are described within classified databases.
5.1 Task 4.1 Deliverables
5.1.1 Email Aggregation Scenario Development. This deliverable
includes a one or more new scenarios that illustrate identity
aggregation risks as described under task 4.1. This deliverable
will also include a game engine release that incorporates
refinements as needed to support the new scenarios.
5.1.2 Lessons Learned Mapping Report. This deliverable is a brief
report identifying the lessons learned that have been
incorporated into CyberCIEGE scenarios and the potential for
addressing additional lessons learned.
Although not an explicit deliverable, it is anticipated that this work may
contribute to various research publications to which the contractor may wish to
be co-authors along with members of the NPS project team.
All deliverables are the sole property of the Naval Postgraduate School.
6.0 SCHEDULE OF DELIVERABLES
Base Deliverable Due Date
5.1.1 March 31, 2010
5.1.2 August 31, 2010
7.0 PERIOD OF PERFORMANCE AND COSTING
7.1 Period of Performance
16 February 2010 – 31 August 2010
8.0 PLACE OF PERFORMANCE
All work is to be performed on site at the following government installation:
Naval Postgraduate School
No travel is authorized under this statement of work.
All work included in this statement of work is unclassified
11.0 ACCEPTANCE OF DELIVERABLES/TECHNICAL POINT OF CONTACT
Dr. Cynthia E. Irvine OR Valerie Linhoff
Director, NPS CISR Research Associate
Naval Postgraduate School Naval Postgraduate School
Department of Computer Science Department of Computer
1411 Cunningham Rd, Bld 305 1411 Cunningham Rd, Bld 305
Monterey, CA 93943-5118 Monterey, CA 93943-5118
(831) 656 2461 (831) 656-2726
12.0 GOVERNMENT FURNISHED PROPERTY
13.0 NON-PERSONAL SERVICES STATEMENT
Contractor employees performing services under this order will be
controlled, directed, and supervised at all times by management personnel of
the contractor. Contractor management will ensure that employees properly
comply with the performance work standards outlined in the statement of work.
Contractor employees will perform their duties independent of, and without the
supervision of, any Government official or other Defense Contractor. The tasks,
duties, and responsibilities set forth in the task order may not be interpreted or
implemented in any manner that results in any contractor employee creating or
modifying Federal policy, obligating the appropriated funds of the United States
Government, overseeing the work of Federal employees, providing direct
personal services to any federal employee, or otherwise violating the
prohibitions set forth in Parts 7.5 and 37.1 of the Federal Acquisition Regulation
(FAR). The Government will control access to the facility and will perform the
inspection and acceptance of the completed work.
Monthly in arrears.
Invoices shall be submitted once a month for services rendered, travel performed, and supplies and
materials purchased during the previous month. All invoices need to be submitted electronically via
WAWF. Hard copy invoices cannot be accepted. Only one invoice may be submitted per month. Invoices
must identify the invoicing period. If charges against more than one line item have occurred during the
invoicing period, all charges must be combined into one invoice. If invoicing against travel or equipment
or supplies line items, invoices must contain a summary detailing the charges as well as an attachment of
supporting documentation. The contractor’s failure to include the necessary information or a more frequent
invoice submission than authorized will result in invoices being rejected.
Invoices for services rendered, travel performed, and materials and supplies procured under this
Contract shall be submitted electronically through Wide Area Work Flow – Receipt and
The vendor shall self-register at the web site https://wawf.eb.mil. Vendor training is available on
the internet at https://wawftraining.eb.mil. Additional support can be accessed by calling the
NAVY WAWF Assistance Line: 1-800-559-WAWF (9293).
Select the 2-in-1 Invoice within WAWF as the invoice type. The 2-in-1 Invoice prepares the
Material Inspection and Receiving Report, DD Form 250, and invoice in one document.
Back up documentation (such as timesheets, etc.) can be included and attached to the invoice in