Cloud Based Internet Isolation Service

Amendment / Modification

This amendment (0005) to Solicitation HC108426R0005 makes the following changes:

• Attachment 9, RFP Question and Answer Template: Updated to include answers to additional questions.
• Attachment 3, CLIN Pricing Worksheet: Updated to change "Maximum # of Users" to "Units."
• Addendum to 52.212-1(a) Factor 2. Price (b): Updated to clarify that surge support will be provided at the same rates proposed and found fair and reasonable at the time of contract award for the applicable period of performance.
• DFARS Clause 252.232-7007: Added "Limitation of Government's Obligation (April 2014)."
• Clause H6: Added "Option to Exercise Surge Support (March 2023)."

• Attachment 9 (RFP Q&A Template)

• Attachment 3 (CLIN Pricing Worksheet)

• Addendum to 52.212-1(a)

• DFARS Clause 252.232-7007

• Clause H6

• The proposal due date remains March 30, 2026, by 12:00 PM CST.

Form / Attachment / Pricing Sheet

This document is a pricing worksheet template provided by the Defense Information Systems Agency (DISA) for the Cloud Based Internet Isolation (CBII) Recompete opportunity. Bidders are required to use this template to submit their proposed pricing.

• Instructions: Bidders must complete the Summary sheet and all corresponding sheets, ensuring all formulas are included and calculations are correct. Links between proposed details and the Summary must be established. "Pricing notes" are not permitted. Additional rows, columns, or tabs can be added as necessary, with costs rolling up to the appropriate sheets.
• Summary Sheet: Details the Solicitation Title (Cloud Based Internet Isolation (CBII) Recompete), Solicitation Number (842571495), and outlines the CLIN structure. It includes CLIN descriptions, contract types (FFP, COST), and pricing breakdowns for Base Period, Option Periods 1-4, a 6-Month Extension (for evaluation purposes only), and a Surge CLIN (Cost Reimbursable, Not to Exceed).
• CLIN Structure: Includes CLINs for CBII Managed Service, CBII HEAT Shield Managed Service, and Travel. Pricing for the managed services is listed as $0.0 for all periods, while Travel is a Cost-Reimbursable CLIN with specified pricing.
• Notes: Clarifies the purpose of the 6-Month Extension (evaluation only, FAR 52.217-8) and the Surge CLIN (Cost Reimbursable, NTE).

This worksheet is critical for bidders to accurately format and submit their pricing proposals. It dictates how costs should be presented, including the breakdown across contract periods and specific CLINs. Failure to adhere to the template's instructions and structure may impact proposal evaluation.

Questions & Answers / Clarifications

This document contains questions submitted by potential bidders and the Government's responses, clarifying various aspects of the solicitation and its associated documents.

• Pricing Model: The contract will be Firm-Fixed Price (FFP), with monthly invoicing based on 3.2 million DoW users, not actual usage. Usage-based pricing and the 75% notification requirement have been removed from CLINs. The proposed unit price is a monthly rate.
• Proposal Submission: File size limits for Volume II (Technical/Management Approach) have been increased to 20MB. Both PowerPoint and PDF formats are acceptable for Volume II; only one is required. Cover slides, agenda/summary slides, and company profiles/resumes do not count towards page or slide limits.
• CMMC Requirements: Offerors need a CMMC Level 2 (Self) assessment at award, with CMMC Level 2 (C3PAO) required by the first option year. Subcontractors also have specific CMMC requirements based on their role.
• Cybersecurity: Only brand-name Menlo Security, Inc. (MSCB) is acceptable. The test environment will be provided by Menlo Security.
• Period of Performance: The DD254 period of performance will be updated to align with the PWS dates, anticipated to begin April 15, 2026.
• Small Business: There are no specific subcontracting plan goals required for this solicitation.
• Oral Proposals: Menlo Security, Inc. is excluded from participating in any oral presentations.

Numerous sections of the RFP, PWS, and CLIN pricing worksheets have been updated based on these Q&As, including clarifications on pricing, submission requirements, CMMC compliance, and technical specifications. Offerors should review all updated documents.

Questions & Answers / Clarifications

This document contains questions submitted by potential bidders and the Government's responses, clarifying various aspects of the solicitation.

• Pricing and Invoicing: The contract will be Firm-Fixed Price (FFP), with monthly invoicing based on 3.2 million DoW users, not actual usage. Usage-based pricing and the 75% usage notification requirement have been removed from CLINs. The proposed unit price is a monthly rate.
• Proposal Submission: The proposal due date has been extended. File size limits for Volume II (Technical/Management Approach) have been increased to 20MB. Cover pages, table of contents, and summary slides are excluded from page limits.
• Cybersecurity Maturity Model Certification (CMMC): Offerors need a CMMC Level 2 (Self) assessment at award, with CMMC Level 2 (C3PAO) required by the first option year. Subcontractors also have CMMC requirements based on data handling.
• Technical Requirements: The core technology is Menlo Security, Inc. (MSCB). While the MSP is not prohibited from subcontracting, only brand-name Menlo Security is acceptable for the core solution. Architectural diagrams will be provided after award due to sensitivity.
• Small Business Participation: There are no specific subcontracting goals for this solicitation.

Several sections of the RFP, PWS, and Attachments have been updated based on these Q&As, including clarifications on pricing, proposal organization, technical requirements, and compliance mandates. Bidders should review all updated documents.

Amendment / Modification

This amendment (0004) to Solicitation HC108426R0005 modifies several aspects of the original solicitation:

• Updated Attachments: Attachment 1 (PWS), Attachment 3 (CLIN Pricing Worksheet), and Attachment 9 (RFP Question and Answer Template) have been updated to remove usage-based pricing.

• CLIN Updates: CLINs x001 and x002 have been updated to remove usage-based pricing.

• Addendum Update: The addendum to 52.212-1 Pricing Information has been updated.

• Deadline Extension: The proposal due date has been extended to March 30, 2026, at 12:00 PM CST. Offerors must resubmit their proposals in their entirety.

• Question Deadline: Additional questions are now due by March 26, 2026, at 10:00 AM CST.

• Attachment 1, PWS_Amend 0004

• Attachment 3, CLIN Pricing Worksheet_Amend 0004

• Attachment 9, RFP Question and Answer Template_Amend 0004

• CLINs x001 and x002

• Addendum to 52.212-1 Pricing Information

• The proposal due date has been extended to March 30, 2026.

• The deadline for submitting additional questions has been extended to March 26, 2026.

• All previously submitted proposals must be resubmitted in their entirety to reflect these changes.

Form / Attachment / Pricing Sheet

This document is a pricing worksheet template provided by the Defense Information Systems Agency (DISA) for the Cloud Based Internet Isolation (CBII) Recompete opportunity. Offerors are required to use this template to submit their proposed pricing.

• Instructions: Bidders must complete the Summary and all corresponding sheets, ensuring all formulas are included and calculations are correct. Links between sheets and cells are required. No "pricing notes" should be included. Additional rows, columns, or tabs may be added as necessary, with costs rolling up to the appropriate sheets.
• Summary Sheet: Details the CLIN structure, including CLIN descriptions, contract types (FFP, COST), base period, option periods (1-4), a 6-month extension for evaluation purposes (per FAR 52.217-8), and a Surge CLIN. It outlines the total evaluated price across all periods.
• Period Sheets (Base Year, OY1, OY2, OY3, OY4): These sheets break down the pricing by CLIN for each contract period, specifying units, proposed prices, and extended prices.

This worksheet is critical for bidders to accurately propose pricing for the CBII Recompete. It dictates the format and required detail for cost submissions, ensuring traceability and compliance with government instructions. Bidders must carefully follow the instructions to ensure their proposal is compliant and their pricing is verifiable.

Performance Work Statement (PWS)

To maintain and enhance a secure, managed cloud-based internet isolation (CBII) service for up to 3.4 million Department of War (DoW) users, ensuring safe and reliable access to web resources and mitigating cyber threats.

This PWS outlines requirements for a managed service provider to deliver and sustain the Cloud-Based Internet Isolation (CBII) Managed Service, leveraging the Menlo Security Cloud Browser (MSCB) solution. Key areas include:

• Program Support: Drafting agendas, managing meetings, financial management, configuration management, and administrative tasks.
• Managed Services: Contract management, schedule management, weekly activity reporting, after-action reporting, documentation management, and monthly service utilization reporting.
• Unclassified/NIPRNET Production Environment: Delivering, deploying, and sustaining a FedRAMP+ Level 2 compliant cloud service offering (CSO) engineered by Menlo Security, Inc. This includes features like internet traffic isolation, threat mitigation, bandwidth freeing, multi-tenancy, content control, data loss prevention (DLP), and robust cybersecurity measures.
• Operational Service Support: Providing a tiered service desk (Tier I, II, III) for 24x7x365 support, incident management, request fulfillment, and knowledge management via a self-service portal.
• Accreditation & Authorization (A&A): Supporting the Risk Management Framework (RMF) lifecycle, security engineering, and A&A activities to maintain compliance with DoD directives.
• Migration, Readiness Assessments, and Sustainment: Developing and executing a migration approach to minimize business impact, providing technical support during upgrades and enhancements.
• Training: Developing and delivering online instructor-led training for subscribers, administrators, and trainers.
• Engineering Support Services: Providing systems, architecture, network, configuration, test, cybersecurity, and mobility engineering support.

Performance is measured against Acceptable Quality Levels (AQLs) for various tasks, including deliverable accuracy, timeliness, and effectiveness. Specific metrics are detailed for contract management, reporting, service desk operations (e.g., time to resolve tickets), and A&A compliance.

• Period of Performance: One-year base ordering period and four one-year option ordering periods (totaling up to five years), with a base period from April 15, 2026, to April 14, 2027.

• Place of Performance: Work may be performed remotely or on-site at government facilities (e.g., DISA Ft. Meade, MD). Classified work requires specific clearances and locations.

• Security: Requires personnel with a final Secret clearance. Compliance with DoD security directives, FedRAMP+ Level 2 requirements, and cybersecurity mandates (including CMMC Level 2) is essential.

• Certifications: Cybersecurity personnel must meet DoD 8570.01-M requirements.

• Interoperability: Must be interoperable with DISN Joint Infrastructure (DJI) security stack and support IPv6.

• Data Management: All data must reside on servers located in the United States and be subject only to U.S. law.

• Deliverables: Numerous Contract Data Requirements List (CDRL) items are specified, including various plans, reports, and documentation.

Amendment / Modification

This amendment (0003) to Solicitation HC108426R0005 updates several attachments and provides answers to additional questions. Key changes include:

• Updated Attachments: Attachment 1 (PWS) and Attachment 3 (CLIN Pricing Worksheet) have been revised.

• Updated Q&A: Attachment 9 (RFP Questions and Answers Template) has been updated with responses to further vendor questions.

• Pricing Information: Addendum to 52.212-1 and 52.212-2 regarding pricing information has been updated.

• Attachment 1, PWS_Amend 0003

• Attachment 3, CLIN Pricing Worksheet_Amend 0003

• Attachment 9, RFP Questions and Answers Template_Amend 0003

• Addendum to 52.212-1 and 52.212-2 Pricing Information

• The proposal due date remains unchanged: March 23, 2026, at 3 PM CST.

• Vendors are instructed to use the updated attachments and Q&A when preparing their proposals.

Performance Work Statement (PWS)

To maintain and enhance a secure browser isolation solution, delivered as a managed service, providing up to 3.4 million Department of War (DoW) users with safe and reliable access to web resources. This managed service is critical for mitigating cyber threats, enhancing information system security, and eliminating vulnerabilities.

This contract requires a managed service providing a cloud environment utilizing the Menlo Security Cloud Browser (MSCB) solution for Cloud-Based Internet Isolation (CBII). The solution includes all necessary hardware, software, and infrastructure to deliver a secured, flexible, scalable, and globally accessible cloud environment. Key capabilities include destination-based whitelisting/blacklisting, web content filtering, malware scanning, data loss prevention (DLP), and web isolation within a secure container. The managed service also encompasses program support, tiered service desk infrastructure, engineering, migration support, user training, and accreditation & authorization (A&A) support.

Performance requirements are detailed across various tasks, including program support, operational service support, and engineering. Key performance indicators (KPIs) and acceptable quality levels (AQLs) are defined for deliverables such as contract management plans, weekly activity reports, incident response times, and system availability. Specific metrics include timely incident resolution, accurate reporting, and adherence to security standards like FedRAMP+ Level 2.

• Period of Performance: One-year base ordering period with four one-year option ordering periods (totaling up to five years). Base period: April 15, 2026 - April 14, 2027.

• Place of Performance: Primarily remote/on-site at contractor facilities. On-site work at Government facilities (e.g., DISA Ft. Meade, MD) may be required for classified tasks. Travel within CONUS/OCONUS may be required and must be pre-approved.

• Security: Requires personnel with a final Secret security clearance. Compliance with DoD 8500 series publications, RMF, and FedRAMP+ Level 2 standards is mandatory. Personnel must meet cybersecurity workforce certification requirements (DoDI 8570.01-M).

• Compliance: Must adhere to DoW mandates for IPv6, DISN Joint Infrastructure (DJI) security stack compatibility, and risk management assessment requirements.

• Interoperability: Must be interoperable with DISA's DJI security tools and support DoW PKI/PIV authentication.

• Managed Service: Includes 24x7x365 Tier I, II, and III service desk support, program management, engineering, migration, and training.

• CMMC: Requires CMMC Level 2 (C3PAO) compliance, with a one-year grace period for self-compliance at award to achieve C3PAO.

Questions & Answers / Clarifications

This document contains questions submitted by potential bidders and the government's responses, clarifying various aspects of the solicitation for the CBII Managed Service.

• Pricing and Invoicing: The government clarified that pricing is expected to be a fixed price per user per month, invoiced monthly in arrears based on actual usage. The definition of "actual usage" equates to active CBII users per month, averaging 2.0-2.1 million. The pricing worksheet has been updated to reflect a monthly rate.
• Proposal Submission: The proposal due date has been extended. File size limits for Volume II have been increased to 20MB. Font size requirements for slides have been clarified, and certain elements like cover pages, tables of contents, and closing slides are excluded from page count limits.
• Cybersecurity Maturity Model Certification (CMMC): While CMMC Level 2 (C3PAO) is the final requirement, vendors can bid with a minimum compliance of CMMC Level 2 (Self) at award, with C3PAO compliance required by the first option year.
• Small Business Participation: There are no specific goals for small business participation beyond general requirements.
• Technical Requirements: The government clarified that only the brand-name Menlo Security, Inc. (MSCB) is acceptable for certain requirements. Specific details regarding user counts, integration protocols, and test environments have been provided.
• Contract Structure: There is ongoing clarification regarding the Firm-Fixed-Price (FFP) designation versus the "actual usage" invoicing method, with the government maintaining the latter.

Several amendments have been made to the RFP and PWS based on these Q&As, including updates to proposal submission guidelines, technical requirements, and clarification on CMMC compliance timelines. The proposal due date has been extended.

Form / Attachment / Pricing Sheet

This document is a pricing worksheet (Excel spreadsheet) provided by the Defense Information Systems Agency (DISA) for the Cloud Based Internet Isolation (CBII) Recompete opportunity. It serves as a template for offerors to detail their proposed pricing.

• Instructions: Offerors must complete the Summary sheet and all corresponding sheets, ensuring all formulas are included and calculations are correct. Links between sheets and cells must be established. "Pricing notes" are not permitted. Additional rows, columns, or tabs can be added as necessary, with costs rolling up to the appropriate sheets.
• Summary Sheet: Details the Solicitation Title (Cloud Based Internet Isolation (CBII) Recompete), Solicitation Number (842571495), and CLIN structure. It includes CLIN descriptions (CBII Managed Service, CBII HEAT Shield Managed Service, Travel, Surge), contract types (FFP, COST), and pricing breakdowns for Base Period, Option Periods 1-4, a 6-Month Extension (for evaluation purposes per FAR 52.217-8), and a Total Evaluated Price. Surge CLINs are Cost Reimbursable (CR) Not to Exceed (NTE).
• Period Sheets (Base Year, OY1-OY4): Provide detailed breakdowns for each CLIN, including proposed unit prices, extended prices, evaluation quantities, and total prices per period.

This worksheet is critical for bidders to accurately calculate and present their proposed costs in the format required by DISA. It outlines the specific CLINs, contract types, and pricing periods that must be addressed. Bidders must ensure their submitted pricing aligns with this template, including all required formulas and traceability to source information, to comply with the solicitation requirements.

Questions & Answers / Clarifications

This document contains questions submitted by potential bidders and the Government's responses, clarifying various aspects of the solicitation (RFP No.: HC108426R0005) and its associated documents, including the Performance Work Statement (PWS).

• Cybersecurity Requirements: Questions regarding the fulfillment of cybersecurity requirements using specific technologies (Menlo Security) versus additional OEM integrations were clarified. The technical solution is the MSCB, but the MSP is not prohibited from subcontracting integrator work.
• Invoicing and Pricing: Significant discussion occurred regarding the Firm-Fixed-Price (FFP) contract designation versus invoicing based on actual usage. The Government maintains that pricing is expected to be fixed price per user per month, invoiced monthly in arrears based on actual usage, with actual usage defined as active CBII users per month (averaging 2.0-2.1M).
• Proposal Submission Requirements: Numerous clarifications were made regarding proposal formatting, including font types and sizes, page limits for various volumes, slide counts, cover letters, and file size limits (updated to 20MB).
• Small Business Participation: It was clarified that there are no specific subcontracting plan goals or Small Business Participation Plan requirements for this solicitation.
• CMMC Requirements: The Cybersecurity Maturity Model Certification (CMMC) Level 2 requirement is clarified. Vendors with a minimum compliance of CMMC Level 2 (Self) can bid, but the winning vendor must attain CMMC Level 2 (C3PAO) compliance by the first option year.
• Period of Performance: Clarification was provided that the estimated period of performance is anticipated to begin April 15, 2026, and the DD254 may be updated prior to award.

Several amendments were issued based on these Q&As, including updates to the Addendum to 52.212-1 and 52.212-2, the PWS, and the CLIN Pricing Worksheet. The proposal due date was also extended in response to the volume of questions and their impact on proposal preparation.

Form / Attachment / Pricing Sheet

This document is a pricing worksheet template provided by the Defense Information Systems Agency (DISA) for the Cloud Based Internet Isolation (CBII) Recompete opportunity. Bidders are required to use this template to detail their proposed pricing.

• Instructions: Bidders must complete the Summary sheet and all corresponding sheets, ensuring all pricing is verifiable and traceable. Formulas must be included, and "pricing notes" are prohibited. Additional rows, columns, or tabs may be added as necessary, with costs rolling up to the appropriate sheets.
• Summary Sheet: This sheet requires the Solicitation Title (Cloud Based Internet Isolation (CBII) Recompete) and Solicitation Number (842571495). It outlines the CLIN structure, including CLIN Description, Contract Type, Base Period, Option Periods 1-4, Subtotal, a 6-Month Extension (for evaluation purposes only), and Total Price.
• CLINs:
  • x001: CBII Managed Service (FFP)
  • x002: CBII HEAT Shield Managed Service (FFP)
  • x003: Travel (COST)
• Surge CLIN: A "Surge" CLIN (0.05) is included for evaluation.
• Notes: Specific instructions are provided for the 6-Month Extension (evaluation only, not on contract) and the Surge CLIN (Cost Reimbursable, Not to Exceed).
• Detailed Sheets: Separate sheets for Base Year and Option Years 1-4 provide fields for Proposed Unit Price and Extended Price for each CLIN.

This worksheet is critical for bidders to accurately propose pricing for the CBII Recompete. It dictates the format for cost submissions, requires detailed breakdowns across contract periods, and specifies how different CLINs and extensions should be priced and presented. Failure to adhere to these instructions may impact proposal evaluation.

Amendment / Modification

This amendment (0002) to Solicitation HC108426R0005 updates several components:

• Attachment 3, CLIN Pricing Worksheet: Updated.

• Attachment 9, RFP Question and Answers Template: Updated to amend responses to questions 51, 126, and 127.

• CLIN Description: The description for CLIN x002 has been updated.

• New Clause Added: FAR Clause 52.217-7, "Option for Increased Quantity--Separately Priced Line Item," has been added.

• Addendum Updates: Addenda to FAR 52.212-1 and 52.212-2 regarding Pricing Information have been updated.

• Attachment 3 (CLIN Pricing Worksheet)

• Attachment 9 (RFP Questions and Answers Template)

• CLIN x002 description

• FAR Clause 52.217-7 (added)

• Addenda to FAR 52.212-1 and 52.212-2

• Question Due Date: Remains unchanged (March 11, 2026, at 3 PM CST).

• Proposal Due Date: Remains unchanged (March 23, 2026, at 3 PM CST).

No other terms and conditions from the original solicitation have been changed.

Questions & Answers / Clarifications

This document contains questions submitted by potential bidders and the Government's responses, clarifying various aspects of the solicitation for the CBII Managed Service. These clarifications often result in amendments to the original solicitation documents.

• Pricing and Invoicing: The Government maintains that the contract will be invoiced monthly in arrears based on actual usage, despite the Firm-Fixed-Price (FFP) designation. Pricing is expected to be fixed per user per month. The definition of "actual usage" equates to active CBII users per month, with an average of 1-1.5M concurrent users.
• Proposal Submission Requirements: Several questions addressed page limits, font types/sizes, file size limits (updated to 20MB), and the inclusion of specific documents like cover letters, resumes, and Non-Disclosure Agreements (NDAs). NDAs are not required with the proposal but within one week of contract award.
• Cybersecurity and CMMC: The requirement for CMMC Level 2 (C3PAO) at award is clarified. Vendors with a minimum compliance of CMMC Level 2 (Self) can bid, but must attain CMMC Level 2 (C3PAO) by the first option year. Subcontractors also have specific CMMC requirements based on data handling.
• Technical Requirements: Clarifications were provided regarding the scope of engineering support, integration with DISA ticketing systems (ITSM+), and the acceptable cloud environments. Specific details on user counts for licensing and potential surge support were also addressed.
• Small Business Participation: There are no specific goals for small business subcontracting or participation plans required.
• Contract Period of Performance: The DD254 period of performance is an estimate and anticipated to begin April 15, 2026, with the DD254 subject to update prior to award.

Numerous amendments have been issued based on these Q&As, affecting various sections of the RFP, including administrative requirements, proposal organization, evaluation factors, and specific PWS sections. The proposal due date has been extended multiple times in response to the volume of questions.

Justification for Other Than Full and Open Competition (J&A)

This document justifies the use of other than full and open competition for the procurement of the Cloud Based Internet Isolation (CBII) Service. The action involves renewing and procuring new subscription licenses for Menlo Security, Inc.'s Cloud Browser (MSCB) product, provided as a managed service. This service is essential for the Department of War's (DoW) remote browsing isolation (RBI) solution for CBII, enhancing cybersecurity measures with AI/ML capabilities.

• A secure, cloud-based browser isolation managed service for DoW users.

• Provides safe and reliable access to web resources, isolating commercial web browsing from DoW networks.

• Enhances web browsing protection, optimizes web traffic, and reduces network strain.

• Supports over 3 million users, with capacity to scale up to 3.4 million.

• Must be FedRAMP+ Level 2 compliant.

• Supports IPv6 traffic.

• Requires a Secret facility clearance for the managed service provider.

• Includes advanced features like AI/ML for threat detection, remote document viewing, and granular policy controls.

• Contract Type: Firm Fixed Price (FFP).

• Sourcing: Open-market procedures via SAM.gov, through an authorized reseller of Menlo Security, Inc.

• Funding: Fiscal Year 2026 Defense Working Capital Funds.

• Period of Performance: One-year base period with four one-year option periods (April 15, 2026 – April 14, 2031).

• This document is a justification for other than full and open competition, not a solicitation for proposals.

• The government will determine if prices offered are fair and reasonable.

• This procurement is for a brand-name commercial off-the-shelf (COTS) product (Menlo Security, Inc.'s MSCB).

• The requirement cannot be set aside for small businesses due to subcontracting limitations.

• Market research indicates that only the specific OEM proprietary, brand-name MSCB can meet the current requirements due to interoperability and system constraints.

• The MSCB solution has been in use since 2020 and is critical for protecting the DoDIN.

• Replacing the current solution would cause significant disruption and pose a threat to national security.

• The government will continue market research for future competitive actions.

Amendment / Modification

This amendment (0001) to solicitation HC108426R0005 modifies the original solicitation as follows:

• Proposal Due Date Extended: The proposal due date has been extended to March 23, 2026, at 3:00 PM CST.
• Questions Due Date Extended: The deadline for submitting questions has been extended to March 11, 2026, at 3:00 PM CST.
• Updated Q&A Template: Attachment 9, RFP Questions and Answers Template_Amend 0001, has been updated to include answers to submitted questions.
• Updated/Provided Attachments: The following attachments have been updated or provided in response to questions:
  • Attachment 1, PWS_Amend 0001
  • Attachment 2, QASP_Amend 0001
  • CBII Exhibit A - DD1423 CDRLS_Amend 0001
  • Attachment 10_CUI_CBII JA, Redacted
• Forthcoming Attachments: An updated Attachment 3, CLIN Pricing Worksheet_Amend 0001, and Addendum 52.212 Price Volume III will be provided.
• CLIN Renumbering: Several CLINs have been renumbered (e.g., CLIN 0002 to 0003, CLIN 1002 to 1003, etc.).
• New CLINs Added: CLIN 0002, CLIN 1002, CLIN 2002, CLIN 3002, and CLIN 4002 have been added, each describing the "CBII HEAT Shield Managed Service FFP" and outlining invoicing procedures and commitment notification requirements.
• Delivery Schedule Updates: Delivery schedules have been added or deleted for various CLINs (0002, 0003, 1002, 1003, 2002, 2003, 3002, 3003, 4002, 4003), with specific POP dates and delivery locations.
• Acceptance/Inspection Schedule Updates: Acceptance/Inspection schedules have been added for CLINs 0002, 1002, 2002, 3002, and 4002.
• Addendum to 52.212-1 Modified: The Addendum to 52.212-1(b), Submission of Offers, has been tailored, specifically regarding "Other Instructions."

This amendment affects the solicitation's due dates, Q&A process, various attachments, CLIN structure, delivery schedules, and specific sections of the proposal submission instructions.

Offerors must ensure their proposals reflect these changes, particularly the extended due dates for questions and proposals. All updated attachments must be reviewed and incorporated into the proposal submission.

Form / Attachment / Pricing Sheet

This document, titled "Attachment 4 CDRLS_Exhibit A_Amend 0001.pdf", is an attachment related to a SAM.gov opportunity. It is identified as Exhibit A to Amendment 0001, and pertains to Contract Data Requirements List (CDRLs).

• The document likely contains specific data requirements or deliverables that bidders need to understand and potentially fulfill as part of the overall solicitation.
• As it is part of an amendment, it may modify or add to previously stated CDRLs.

Bidders should review this attachment to understand any updated or new requirements for data submission or deliverables as specified in the CDRLs. This is crucial for accurate proposal preparation and for understanding contractual obligations if awarded.

Attachment / Form

This document is a Quality Assurance Surveillance Plan (QASP) for the Cloud Based Internet Isolation (CBII) Service contract. It outlines the government's systematic method for evaluating contractor performance.

• Roles and Responsibilities: Defines the roles of the Program/Project Manager (PM), Contracting Officer (KO), and Contracting Officer's Representative (COR) in performance oversight.
• Surveillance Methods: Details primary methods like Random Sampling and Periodic Inspection, along with a Surveillance Matrix linking performance objectives to inspection methods.
• Performance Standards & AQLs: Specifies performance objectives, Acceptable Quality Levels (AQLs), and methods of calculation for various contract tasks, including contract management, reporting, cloud service offering development, cybersecurity, operational support, risk management, user migration, and training.
• Documentation: Explains how acceptable and unacceptable performance will be documented, including the use of Performance Assessment Reports (PARs) and Corrective Action Reports (CARs).
• Compliance: Outlines mandatory compliance items, such as FAR and DFARS clauses.
• Evaluation & Ratings: Describes the performance rating system (Exceptional, Very Good, Satisfactory, Marginal, Unsatisfactory) used for contractor evaluation.

This QASP details the government's expectations for contractor performance and the methods used to measure it. Bidders should review the performance standards, AQLs, and surveillance methods to understand the quality requirements and how their performance will be assessed. This information is crucial for developing a compliant and competitive proposal and for understanding post-award performance expectations.

Performance Work Statement (PWS)

To maintain and enhance a secure browser isolation solution, delivered as a managed service, providing up to 3.4 million Department of War (DoW) users with safe and reliable access to web resources. This solution is critical for mitigating cyber threats, enhancing information system security, and eliminating vulnerabilities.

The contract requires a managed service providing a cloud environment utilizing the Menlo Security Cloud Browser (MSCB) solution. This includes all necessary hardware, software, and infrastructure to deliver a secured, flexible, scalable, globally accessible, and isolated cloud environment. Key capabilities include destination-based whitelisting/blacklisting, web content filtering, malware scanning, data loss prevention (DLP), and web isolation. The managed service also encompasses program support, tiered service desk infrastructure, engineering, migration support, user training, and accreditation & authorization (A&A) support.

Key performance areas include contract managed services, schedule management, weekly activity reporting, after-action reporting, program/briefing documentation support, and overall contract management. Specific metrics are detailed for each task, focusing on deliverable accuracy, timeliness, and adherence to plans and requirements. For the core CSO, performance objectives include specific page load times (<= 5 seconds), latency (<= 100ms), and throughput (>= 10 Gbps).

• Period of Performance: One-year base ordering period with four one-year option ordering periods (totaling up to five years). Base period: April 15, 2026 - April 14, 2027.

• Place of Performance: Primarily remote performance. Work may be performed at contractor facilities or government facilities (e.g., DISA Ft. Meade, MD). Access to SIPRNET for updating SECRET-level documentation may be required on-site.

• Security: Requires personnel with a final Secret clearance. Compliance with FedRAMP+ Level 2 requirements, DoD 8500 series publications, and RMF is mandatory. Cybersecurity workforce certification (DoD 8570.01-M) is required for relevant personnel.

• Compliance: Must adhere to FedRAMP+ Level 2, NIST SP 800-171, DoD mandates for IPv6, and DISA security standards. CMMC Level 2 (C3PAO) is required.

• Managed Services: Includes 24x7x365 Tier I, II, and III service desk support, program management, engineering, migration, training, and A&A support.

• Technology: Utilizes Menlo Security, Inc.'s Cloud Browser (MSCB) solution. Requires integration with DISN Joint Infrastructure (DJI) security stack and DoW mobility services.

• Deliverables: Numerous Contract Data Requirements List (CDRL) items are specified, including plans (CMP, LCS, SMP, SCRM, etc.), reports (WAR, MSUR, MSR, etc.), and documentation.

• Pricing: Enterprise user license agreement (EULA) subscription-based pricing is expected for up to 3.4 million users.

Justification for Other Than Full and Open Competition (J&A)

This document justifies the use of other than full and open competition for the procurement of the Cloud Based Internet Isolation (CBII) Service. The service provides a secure, managed browser isolation solution for Department of War (DoW) users, ensuring safe access to web resources and protecting DoW networks from cyber threats. The action involves renewing and procuring new subscription licenses for Menlo Security, Inc.'s Cloud Browser (MSCB) product, including its Highly Evasive and Adaptive Threats (HEAT) Shield with AI/ML capabilities.

• Secure, cloud-based browser isolation for commercial web browsing.

• Protection against malicious source code and cyber threats.

• Optimization of web traffic flow and reduction of network strain.

• Support for over 3 million DoW users, with scalability up to 3.4 million.

• Compliance with FedRAMP+ Level 2 standards.

• Support for IPv6 traffic.

• Integration with DISA's advanced security tools.

• Capabilities include threat mitigation, secure/isolated web sessions, and network optimization.

• Contract Type: Firm Fixed Price (FFP), FAR-based follow-on.

• Period of Performance: One-year base period with four one-year option periods (April 15, 2026 – April 14, 2031).

• Funding: Fiscal Year 2026 Defense Working Capital Funds.

• Sourced through open-market procedures on SAM.gov.

• This document is a justification for other than full and open competition, not a solicitation for proposals.

• The Contracting Officer will determine if prices are fair and reasonable.

• This procurement is brand-name specific to Menlo Security, Inc.'s MSCB product.

• Market research indicated no other solutions meet the government's CBII requirements or are compatible with existing infrastructure.

• The requirement cannot be set aside for small businesses due to subcontracting limitations.

• The MSCB solution has been in production since 2020 and is critical for national security.

• Replacing MSCB would cause significant disruption and pose a threat to national security.

• Future market research will be conducted to identify potential competitive actions.

Performance Work Statement (PWS)

To maintain and enhance a secure, cloud-based internet isolation (CBII) managed service for up to 3.4 million Department of War (DoW) users, providing safe and reliable access to web resources while mitigating cyber threats.

This PWS outlines requirements for a managed service utilizing the Menlo Security, Inc. (MSCB) solution. Key areas include:

• Program Support: Drafting agendas, managing meetings, financial management, program management, and administrative tasks.
• Managed Services: Contract management, schedule management, reporting (Weekly Activity Reports, After Action Reports), documentation management, and financial oversight.
• Cloud Service Offering (CSO): Delivering, deploying, and sustaining an unclassified CSO engineered by Menlo Security, Inc. This includes isolation of internet traffic, threat mitigation, bandwidth freeing, and compliance with FedRAMP+ Level 2 requirements.
• Operational Service Support: Providing a tiered service desk infrastructure (Tier 0, I, II, III) for end-user support, incident management, and request fulfillment.
• Accreditation & Authorization (A&A): Supporting all phases of the Risk Management Framework (RMF) and A&A lifecycle, including security engineering and compliance with DoD 8500 series publications.
• Migration, Readiness Assessments, and Sustainment: Developing and executing a user migration strategy, providing technical support during upgrades and enhancements.
• Training: Developing and delivering training materials for subscribers, administrators, and instructors.
• Engineering Support: Providing systems, architecture, network, configuration management, test, cybersecurity, and mobility engineering services.

Performance standards are defined for various tasks, including contract management plan completeness, schedule accuracy, report timeliness, documentation accuracy, CSO engineering effectiveness, operational support response times, A&A compliance, migration support, and training delivery. Specific Acceptable Quality Levels (AQLs) are detailed for each task.

• Period of Performance: One-year base ordering period and four one-year option ordering periods (totaling up to five years). Base period: April 15, 2026 - April 14, 2027.

• Place of Performance: Primarily remote/on-site at contractor facilities. Classified work may require performance at government facilities (e.g., DISA Ft. Meade, MD). Travel may be required.

• Security: Personnel must possess Final Secret clearance. Compliance with DoD 8500 series, FedRAMP+ Level 2, and CMMC Level 2 (C3PAO) is required.

• Identity Management: Support for DoW PK-Enabled/PIV authentication, Role-Based Access Control (RBAC).

• Interoperability: Must integrate with DISN Joint Infrastructure (DJI) security stack, support IPv6, and comply with DoD mandates.

• Data Management: All data must reside in servers located in the United States. Compliance with data breach reporting and privacy impact assessment requirements.

• Supply Chain Risk Management (SCRM): Submission of an SCRM plan is required.

• Section 508 Accessibility: ICT must conform to Revised 508 Standards.

• Cybersecurity: Emphasis on AI/ML for threat detection and mitigation (HEAT Shield), Data Loss Prevention (DLP), and compliance with various cybersecurity frameworks.

Form / Attachment / Pricing Sheet

This document is a template for submitting Questions and Answers (Q&A) regarding the Request for Proposal (RFP) HC108426R0005. It provides instructions for bidders on how to format and submit their questions, comments, and recommendations.

• Instructions: Details on how to complete the spreadsheet, including not changing the format and deleting sample blue text.
• Column B (Page): Requires the specific page number from the contract.
• Column C (Section/Paragraph): Requires the applicable section and paragraph number from the contract.
• Column D (CLIN/Clause/Other): Requires CLIN, Clause, Provision, Appendix, or Attachment numbers.
• Column E (Questions/Comments/Recommendations): Requires bidders to state their questions or comments, prefaced by the topic.
• Government Response: A column for the government's response (left blank in the provided sample).

This template is crucial for bidders to effectively communicate any questions or concerns about the RFP. Following these instructions ensures that questions are submitted in the correct format, which can expedite the government's response process and ensure clarity. Bidders must use this template to submit their inquiries related to the RFP, including specific references to contract pages, sections, or attachments.

Form / Attachment / Pricing Sheet

This document is a proposal template provided by the Defense Information Systems Agency (DISA) for cost/price evaluation. It serves as guidance for Offerors to detail and verify their proposed pricing.

• Instructions: Offerors must complete the CLIN Summary and all corresponding sheets, ensuring all formulas are included and calculations are correct. Pricing notes are not permitted. Additional rows, columns, or tabs can be added as necessary, with costs rolling up to appropriate sheets.
• CLIN Structure: The template includes sections for Base Year, Option Years 1-4, and a Summary sheet. It outlines two main CLINs: CLIN x001 (CBII Managed Service) and CLIN x002 (Travel).
• Pricing Details: For CLIN x001, Offerors must provide a detailed build-up of proposed pricing, including labor, and specify the basis for the price (e.g., commercial price list, prior prices). For CLIN x002 (Travel), a placeholder cost of $15,000.0 is provided for each period.
• Summary Sheet: This sheet consolidates CLIN information, contract types (FFP for Managed Service, Cost-Reimbursable for Travel), and estimated prices for the Base Period through Option Period 4, including a 6-month extension for evaluation purposes.

This worksheet is critical for bidders to accurately structure and present their cost proposals. It ensures traceability of pricing from detailed breakdowns to the CLIN Summary, as required by the RFP/RFQ. Offerors must adhere to the template's instructions for formula inclusion, calculation accuracy, and data traceability to ensure compliance with the government's cost/price evaluation process.

Form / Attachment / Pricing Sheet

This document is a checklist for reviewing a Subcontracting Plan, as required by FAR 52.219-9. It outlines the essential elements that a subcontracting plan must contain for approval. Bidders are expected to use this checklist to ensure their proposed subcontracting plan meets all regulatory requirements.

This checklist details 17 required elements for a subcontracting plan, including:

• Identification of the contractor, date, and solicitation details.
• Specific goals for subcontracting with various small business categories (Small Business, Small Disadvantaged Business, Women-Owned Small Business, HUBZone Small Business, Veteran-Owned Small Business, Service-Disabled Veteran-Owned Small Business) across different contract periods.
• Descriptions of the types of supplies and services to be subcontracted.
• Methods for developing goals and identifying potential sources.
• Assurances regarding the equitable opportunity for small businesses to compete, reporting requirements (ISR/SSR via eSRS), and record-keeping.
• Provisions for timely payments to subcontractors and the ability for subcontractors to discuss matters with the Contracting Officer.
• Requirements for a signature page with appropriate approvals.

Bidders must submit a compliant subcontracting plan as part of their proposal. This checklist serves as a guide to ensure all necessary components are included, which is critical for proposal acceptability. Failure to meet these requirements can lead to a plan being rated as 'Unacceptable'.

Form / Attachment / Pricing Sheet

This document, "Attachment 7 GFP Attachment.xlsx", is an Excel spreadsheet that serves as an attachment to a solicitation. It details Government Furnished Property (GFP) that will be provided to the selected contractor for use during contract performance.

• The attachment contains a list of "Requisitioned Items" or "Provisioned" GFP items.
• Each item includes a line number, item name, and description.
• Fields such as NSN, Mfr CAGE, Part Number, and Model Number are present, with specific completion requirements noted:
  • '*' denotes a required field.
  • '†' indicates a minimum of one field is required.
  • '††' means if 'Mfr CAGE' or 'Part Number' is entered, the other is also required.
• Other details include serial management status, property classification and usage, quantity, unit of measure, unit acquisition cost, and whether items are to be used as-is or are upgradable.
• Contact information for the Government Contracting Officer (Angela K. Zang), including email and phone number, is provided.

Bidders must review this attachment to understand the specific Government Furnished Property that will be provided. This information is critical for:

• Accurately estimating costs.
• Planning logistics.
• Understanding the overall scope of work.
• Assessing resource needs and capabilities.
• Preparing proposals and cost estimations.
• Understanding responsibilities related to the management and use of GFP.

Form / Attachment / Pricing Sheet

This document is a Non-Disclosure Agreement (NDA) for contractor personnel working with the Defense Information Systems Agency (DISA) or other relevant DoD entities. It outlines the obligations of contractor employees regarding sensitive or proprietary information they may access during contract performance.

• Agreement to Protect Information: Contractor personnel must agree not to disclose specific categories of information, including:
  • Planning, programming, and budgeting system information.
  • Contractor bid or proposal information or source selection information.
  • Information exempt from FOIA (e.g., trade secrets, proprietary, financial).
  • Personally-identifiable information (PII) or protected health information (PHI).
  • Confidential or For Official Use Only (FOUO) information.
• Use of Information: Information must be used solely for contract performance and not for personal gain or competitive advantage.
• Post-Contract Obligations: Obligations continue after contract performance ends until the information is approved for public release.
• Return of Information: All sensitive information in possession must be returned to the Government upon contract completion.
• Sanctions: Violations may result in administrative, civil, and criminal sanctions, including removal from contract assignment.
• Permitted Disclosures: Exceptions are made for disclosures to Congress, authorized agency officials, or the Department of Justice for reporting substantial legal violations, and for disclosures required by court order.
• Whistleblower Protections: The agreement incorporates and does not supersede existing whistleblower protections and statutes related to classified information, congressional reporting, Inspector General reporting, and national security.

Bidders should be aware that personnel assigned to this contract will be required to sign this NDA. It signifies the sensitive nature of the data and systems involved in the opportunity and highlights the strict confidentiality requirements that will be imposed on contractor staff. This may impact staffing decisions and the vetting process for personnel proposed for the contract.

Attachment / Other

This document is a Quality Assurance Surveillance Plan (QASP) for the Cloud Based Internet Isolation (CBII) Service contract. It outlines the systematic methods the government will use to monitor and evaluate the contractor's performance.

• Contract Title: Cloud Based Internet Isolation (CBII) Service.
• QASP Purpose: To define what will be monitored, how, by whom, and how results will be documented. It clarifies that the contractor is responsible for their own quality control, while the government is responsible for objective performance evaluation.
• Roles: Defines the roles of the Program/Project Manager (PM), Contracting Officer (KO), and Contracting Officer's Representative (COR) in performance surveillance.
• Surveillance Methods: Primarily uses Random Sampling and Periodic Inspection.
• Performance Standards: Details specific performance objectives, Acceptable Quality Levels (AQLs), and methods of calculation for various tasks, including:
  • Contract managed services support (90% AQL).
  • Key milestone and activity reporting via Microsoft Project Schedule (100% AQL).
  • Weekly Activity Reports (WAR) (90% AQL).
  • Program/briefing documentation management (90% AQL).
  • Overall contract management services (90% AQL).
  • Development and sustainment of Cloud Service Offering (CSO) (95% AQL).
  • HEAT Shield protections implementation (95% AQL).
  • Operational support (DESMF) (100% and 90% AQLs).
  • Risk Management Framework (RMF) and Accreditation & Authorization (A&A) lifecycle support (100% AQL).
  • SOP maintenance for patching and eMASS data entry (100% AQL).
  • User migration and sustainment approach (100% AQL).
  • Training delivery and documentation (100% AQL).
  • Engineering support for new technologies (95% AQL).
  • Integrated test lab maintenance (95% AQL).
  • Mobile device service integration (95% AQL).
• Performance Documentation: Outlines processes for documenting acceptable and unacceptable performance, including the use of Performance Assessment Reports (PARs), Customer Complaint Records, and Corrective Action Reports (CARs).
• Compliance: Requires contractor compliance with specific regulations (FAR 52.222-50, DFARS 252.203-7002) and submission of affirmations regarding employee whistleblower rights.

Solicitation / RFP / RFQ

This document is a solicitation (RFP HC108426R0005) for commercial items, issued by DISA/DITCO-SCOTT-PS84. The government is procuring "CBII Managed Service" and related "Travel Cost" services. The solicitation is set aside for Unrestricted competition, with a NAICS code of 541519 and a size standard of $34,000,000.

• CBII Managed Service: Requires provision of CBII Managed Service in accordance with Performance Work Statement (PWS) Tasks 6.1 - 6.7. Invoicing is monthly in arrears based on actual usage. Contractors are obligated to notify the government at 75% of their commitment usage.

• Travel Cost: Reimbursable expenses for travel are allowed in accordance with FAR Part 31, excluding travel within 50 miles of the contractor's place of performance. Detailed travel cost breakouts are required with monthly invoices.

• Surge Support: Optional surge support is available, not to exceed 5% of the contract value.

• Contract Type: Firm-fixed-priced contract.

• Period of Performance:

  • CLIN 0001: 15-APR-2026 to 14-APR-2027
  • CLIN 0002: 15-APR-2026 to 14-APR-2027
  • CLIN 1001: 15-APR-2027 to 14-APR-2028
  • CLIN 1002: 15-APR-2027 to 14-APR-2028
  • CLIN 2001: 15-APR-2028 to 14-APR-2029
  • CLIN 2002: 15-APR-2028 to 14-APR-2029
  • CLIN 3001: 15-APR-2029 to 14-APR-2030
  • CLIN 3002: 15-APR-2029 to 14-APR-2030
  • CLIN 4001: 15-APR-2030 to 14-APR-2031
  • CLIN 4002: 15-APR-2030 to 14-APR-2031
  • CLIN 9999: Surge

• Option to Extend Services: The government may require continued performance for up to 6 months at specified rates.

• Option to Extend Term: The contract term may be extended up to five years in total.

• Offer Due Date: 12:00 PM 16 Mar 2026

• Proposal Submission: Technical and price proposals are required. Oral presentations will be conducted virtually via MS Teams.

• Evaluation: Award will be made to the responsible offeror whose proposal represents the overall best value using a lowest price technically acceptable (LPTA) evaluation process.

• Key Deadlines:

  • Questions due: NLT March 2, 2026
  • Proposals due: NLT March 16, 2026

• Set-Aside: Unrestricted.

• NAICS Code: 541519

• Size Standard: $34,000,000

• Cybersecurity Requirements: Contractors must comply with Cybersecurity Maturity Model Certification (CMMC) Level 2 requirements.

• The solicitation incorporates FAR 52.212-1, 52.212-3, and 52.212-4 by reference.

• Specific clauses are incorporated by reference and full text, including those related to cybersecurity, payment instructions (WAWF), and organizational conflicts of interest.

• Points of Contact: Contracting Officer Angela K. Zang and Contract Specialist Melissa A. Weh.

Other / Unclassified

This document is a placeholder or error message indicating that the PDF content could not be displayed by the viewer. It provides instructions for upgrading Adobe Reader and links for assistance.

This document does not contain substantive information related to a SAM.gov opportunity. It is a technical message related to PDF rendering and does not provide details on requirements, scope, or submission instructions for bidders.

Form / Attachment / Pricing Sheet

This document, titled "Attachment 4 CDRLS_Exhibit A.pdf", is an attachment to the SAM.gov opportunity record. Its specific purpose is not detailed in the provided metadata or document content, but it is likely related to contract data requirements list (CDRLs) or an exhibit.

As the document content could not be accessed, specific key elements, fields, categories, or data points cannot be identified.

Bidders should refer to the main solicitation or related documents for instructions on how to utilize or address "Attachment 4 CDRLS_Exhibit A.pdf". Its content is likely crucial for proposal preparation or fulfilling contractual obligations if awarded.