AFARS – APPENDIX HH

Policy and PWS Language

Building Blocks

Contract Actions

Subject Area

Policy

Policy Reference/Source (AR, DFARS, AFARS, DOD, etc.)

PWS language

1a) Migrating to the Cloud

1b) New SW Development in the Cloud

2) Follow-on contracts related to common services and management

3) Cloud Hosting, use of Enterprise solutions

New Contracts

Orders Against Existing Contracts

Existing Contracts

CDRL

Cloud

All commercial cloud usage must be reported into the Army Portfolio Management System (APMS) per data EXORD 009-20

EXORD 009-20

N/A

Use of Enterprise Services

All Army systems/applications developed in, migrated to and hosted in the commercial cloud will use cArmy Enterprise common services and data services. The Army will not duplicate common services or data services that are accredited in cArmy, to include the components of the DoD Secure Cloud Computing Architecture (SCCA). If a service is required that is not yet available in cArmy, the Application/System Owner must work with the Enterprise Cloud Management Office (ECMO) before any development of that service occurs (or any dollars are obligated towards the development). A list of the currently available (as of 1 May 2020) services is included in the next tab in this spreadsheet. In the future, a dynamic website will be available that will include up-to-date listing and description of available Enterprise services: www.cloud.army.mil.

EXORD 009-20: 3.D.5.G. (U) DIRECT THE ENTERPRISE CLOUD MANAGEMENT OFFICE (ECMO) TO DEVELOP A PLAN TO CONSOLIDATE EXISTING CLOUD INSTANCES TO THE GREATEST POSSIBLE EXTENT, AND WITHOUT SIGNIFICANT IMPACT TO ONGOING OPERATIONS, TO GAIN VISIBILITY AND CONTROL OF ARMY CLOUD MIGRATIONS NLT 01 JAN 2020.

The contractor must use cArmy Enterprise common services, and data services, and all DoD Secure Cloud Computing Architecture (SCCA) components when developing, migrating to and hosting Army systems/applications in the commercial cloud. A list of the currently available common services is included in the next tab in this spreadsheet. In the future, a dynamic website will be available that will include up-to-date listing and description of available Enterprise services: www.cloud.army.mil

Required

Required

N/A

N/A

Yes

No

No

Migration Plan or Strategy to use the common services

Use of Enterprise Services

Existing cloud common services will be consolidated into cArmy as is reasonable over time, per EXORD 009-20. As existing common service contract options expire, mission owners should work with the Enterprise Cloud Management Office (ECMO) to onboard their applications into cArmy and reduce the duplicity of services across the Army.

EXORD 009-20: 3.D.5.G. (U) DIRECT THE ENTERPRISE CLOUD MANAGEMENT OFFICE (ECMO) TO DEVELOP A PLAN TO CONSOLIDATE EXISTING CLOUD INSTANCES TO THE GREATEST POSSIBLE EXTENT, AND WITHOUT SIGNIFICANT IMPACT TO ONGOING OPERATIONS, TO GAIN VISIBILITY AND CONTROL OF ARMY CLOUD MIGRATIONS NLT 01 JAN 2020.

N/A

N/A

Required

N/A

Yes

No

No

Catalog or Inventory of common services utilized within the app.

Modernization/Migration

The Army will modernize applications applying Cloud Native Design Principles, which will prioritize the use of Software as a Service (SaaS) and Platform as a Service (PaaS) (to include container technology) over Infrastructure as a Service (IaaS) models to reduce toil and overhead of maintaining Information Technology (IT) systems. Use of IaaS will be by exception and at the approval of the Enterprise Cloud Management Office (ECMO). According to the Cloud Native Computing Foundation, “cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, micro-services, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.” *

Army Cloud Plan

The contractor must modernize applications migrating to commercial cloud applying Cloud Native Design Principles and will prioritize use of Software as a Service (SaaS) and Platform as a Service (PaaS) over Infrastructure as a Service (IaaS).

Mandatory

N/A

N/A

N/A

Yes

No

No

System design document

Modernization/Migration

Legacy systems undergoing modifications to adapt to a service-enabled architecture should design anti-corruption layers** to support the transitional period. Pre-bundled COTS products are excluded.

Army Cloud Plan

The contractor must ensure that legacy systems undergoing modifications to adapt to a service-enabled architecture will design anti-corruption layers to support the transitional period.

Required except pre-bundled COTS products

N/A

N/A

N/A

Yes

No

No

Architecture Drawing and Description of Solution

Software Development

The Army will build to the highest abstraction of cloud services, where possible, to include SaaS, PaaS, Database Management as a Service, and so forth, in order to accelerate testing, accreditation and fielding to the Army. Use of IaaS will be by exception and at the approval of the Enterprise Cloud Management Office (ECMO).

Army Cloud Plan

The contractor must build to the highest abstraction of cloud services in order to meet functional, technical, performance and cost goals. These services include commercial SaaS, PaaS, Database Management as a Service, and so forth, in order to accelerate testing, accreditation and fielding to the Army.

N/A

Required

N/A

N/A

Yes

No

No

Architecture Drawing and Description of Solution

Software Development

All new software development must use modern software development methodologies (e.g., agile, DevSecOps) to support rapid delivery of standardized, reliable, integrated and secure mission capabilities.

Army Cloud Plan

The contractor must use modern software development methodologies (e.g., agile, DevSecOps) to support rapid delivery of standardized, reliable, integrated and secure mission capabilities.

Optional

Required

N/A

N/A

Yes

No

No

Software Development Plans

Software Development

All new software acquisitions should use microservices architecture and automation where technically and economically feasible.

Army Cloud Plan

The contractor must use microservices architecture and automation where technically and economically feasible.

Optional

Required

N/A

N/A

Yes

No

No

Software Development Plan and Architecture

Software Development

In order to create interoperable, accessible and visible services, all interface information will be published in the Army Enterprise Data Services Catalog (EDSC).

Army Data Plan

The contractor must comply with publishing all application programming interface (API) information within the Enterprise Data Services Catalog (EDSC)

Required

Required

N/A

N/A

Yes

Yes

No

Plan and Schedule for publishing to EDSC

Security

Reference DoD Instruction 8580.1; each DoD information system is required to have an Information System Security Manager (ISSM) and must implement DoD Risk Management Framework (RMF) governed by DoD Instruction 8510.01, for DoD Information Technology (IT). All cloud instances will inherit RMF controls to the greatest extent allowable by the Authorizing Official.

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-1. 2. Impact-level Guidance for Data Migrating to Army-approved Cloud Environments (1 May 2020) 3. Authorization Guidance for IT Capabilities Migrating to Army-approved Cloud Environments. (1 May 2020)

The contractor must comply with implementation of the DoD Risk Management Framework (RMF) as governed by DoD Instruction 8510.01, for DoD Information Technology (IT).

Required

Required

N/A

N/A

Yes

Yes

No

Security

All Army cloud instances will use Army Future Command (AFC)'s Command, Control, Communications, Computers, Cyber, Intelligence, Surveillance and Reconnaissance Center (C5ISR) as their Cybersecurity Service Provider (CSSP). Exceptions can only be granted by the Army Cyber Command (ARCYBER) or the Chief Information Officer (CIO)/G6.

New

The contractor must work with Army Future Command (AFC)'s Command, Control, Communications, Computers, Cyber, Intelligence, Surveillance and Reconnaissance Center (C5ISR) to establish Cyber Security Service Provider (CSSP) services (as required by DoDI 8530 and as described by the DISA Cloud Computing Security Requirements Guide) for Army applications hosted in commercial cloud.

Required

Required

Required

N/A

Yes

Yes

Yes

Data

All new and existing applications, systems, or servicesdeemed non-legacy shall expose their data and functionality through service interfaces (for example, OpenAPI specification). (Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-6)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020)

The contractor must ensure that all new and existing applications, systems, or services deemed non-legacy shall expose their data and functionality through service interfaces (for example, OpenAPI specification).

Required

Required

N/A

N/A

Yes

No

No

Data

All service interfaces, without exception, must be designed to be consumable from external sources and must plan and design to be able to expose the interface to developers. (Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-7)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020)

The contractor must ensure that all service interfaces, without exception be designed to be consumable from external sources and must plan and design to be able to expose the interface to developers.

Required

Required

N/A

N/A

Yes

No

No

Data

Metadata about all Army data assets must be registered in the Army Enterprise Data Service Catalog (EDSC) and comply with Dublin Core Metadata Element Sets and International Standards Organization Metadata Registries requirements.(Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-3.)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020)

The contractor must ensure that all Army data assets are registered in the Army Enterprise Data Service Catalog (EDSC) and comply with Dublin Core Metadata Element Sets and International Standards Organization Metadata Registries requirements.

Required

Required

N/A

N/A

Yes

No

No

Data

All Army data sources must be developed with built-in data exchange capabilities. Data mapping must also be implemented to increase efficiency and ease of use of data assets as they are being translated or transformed. At a minimum, programs and initiatives are required to comply with Global Force Management Data Initiative; International Standards for dates; Geopolitical Entities, Names and Codes, Common (GENC); Joint Consultation, Command and Control Exchange Data Model; or Resource Description Framework standards and schemas. (Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-4)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020)

The contractor must ensure that All Army data sources are developed with built-in data exchange capabilities. Data mapping must also be implemented to increase efficiency and ease of use of data assets as they are being translated or transformed. At a minimum, programs and initiatives are required to comply with Global Force Management Data Initiative; International Standards for dates; Geopolitical Entities, Names and Codes, Common (GENC); Joint Consultation, Command and Control Exchange Data Model; or Resource Description Framework standards and schemas.

Optional

Required

N/A

N/A

Yes

No

No

Data

Data must be managed across its lifecycle and captured in a data management plan. (Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-5)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020),

N/A

Required

Required

N/A

N/A

Yes

Yes

No

Data Management Plan

Data

All custom software or customized COTS software written by the Army or developed with Army funding will be centrally controlled and made available to all DoD, IC and inter-agency partners within the approved Army source code repositories on the Unclassified, Secret, and Top Secret networks in accordance with Army Directive 2018-26 (Enabling Modernization Through the Management of Intellectual Property) (Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-8)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020),

The contractor must utilize government approved centralized source code repositories to store all government funded software development or customization of COTS products.

Required

Required

Required

N/A

Yes

No

No

Data

There will be no other form of Inter-Process communication allowed: no direct linking, no direct reads of another data store, no shared-memory model, and no back-doors whatsoever. The only Inter-Process communication allowed is intra-system data exchanges or service interface calls over the network. All other requests or methods require CIO approval ((Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020), Principle DSR-9)

Mandatory Implementation of Army Data Standards Services Requirements Memo (10 April 2020),

The contractor must ensure that there will be no other form of Inter-Process communication allowed: no direct linking, no direct reads of another data store, no shared-memory model, and no back-doors whatsoever. The only Inter-Process communication allowed is intra-system data exchanges or service interface calls over the network.

Optional

Mandatory

N/A

N/A

Yes

No

No

CSP

Once available, procurement of all DoD Information Impact Level (IL) 6 and below Cloud Service Provider (CSP) Offerings will use the Army’s Enterprise CSP Reseller contract. Exceptions to this policy include programs funded by Military Intelligence Program (MIP)/National Intelligence Program (NIP) monies. Other exceptions can only be granted by the ECMO. As contract options expire, existing CSP service contracts will also be migrated to the Army’s Enterprise CSP reseller contract.

New

All Cloud Service Offering (CSO) requirements up through DoD Information Impact Level (IL) 6 that are within scope of the Army Enterprise Cloud Contract Vehicle will be purchased off that vehicle.

Required, Once Available

Required, Once Available

Required, Once Available

Required, Once Available

Yes

No

No

CSP

For those CSP Services that exist outside of the Enterprise reseller contract today, the CSP owner must align and integrate their AWS/Azure cloud instances to the cArmy Cost and Utilization Management Tool, to ensure ECMO can view all Army CSP resources and spend.

New

The contractor will register all cloud instances into the cArmy cost and utilization management tool with any CSP procurement. Cloud instances will be registered into cArmy's management tool within 15 business days of procurement.

Required

Required

Required

Required

Yes

No

No

Data

All data will reside physically within the legal jurisdiction of the United States. If the location of the data is not physically maintained within the legal jurisdiction of the United States, written determination from the Contracting Officer to authorize use of another location is required IAW DFARS 239.7602-2(b).

DFARS 239.7602-2(b)

The Contractor must maintain all data within the legal jurisdiction of the United States IAW DFARS 239.7602-2(b).

Required

Required

Required

Required

Yes

No

No

Security Incident Planning

The Army must adhere to the DoD Cloud Computing Security Requirements Guide version 1 release 3 (or superseding versions or releases). IAWS DFARS 239.7604

DoD Cloud Computing Security Requirements Guide (DoD CC SRG) Version 1 Revision 3, Section 6.5.1, IAW DFARS 239.7604

The contractor must adhere to the DoD Cloud Computing Security Requirements Guide version 1 release 3 (or superseding versions or releases). In particular, contractors must provide security incident response plans. Updates to the plans are required on an annual basis or when a significant change occurs to the technical or operational environment.

Required

Required

Required

Required

Yes

No

No

Security

Contracts shall only be awarded to a cloud service provider that DISA granted a DoD Provisional Authorization (PA), at the level appropriate to the requirement, to deliver the relevant cloud computing model IAW with the DoD CC SRG.

DoD Cloud Computing Security Requirements Guide (CC SRG)

The Contractor will ensure that the cloud environment fully complies or exceeds the security requirements for level ___in the DoD Cloud Security Model SRG. The Contractor will make the environment accessible for a DoD security team to evaluate the environment prior to the placement of any DoD data in the environment and allow for periodical security reviews of the environment during the performance of this contract.

Required

Required

Required

Required

Yes

No

No

Security

Data must be encrypted at rest and in-transit

CNSSP 15, AR 25-2

The contractor shall ensure that all data-at-rest and data in-transit is encrypted utilizing NSA-approved encryption.

Required

Required

Required

Required

Yes

No

No

Cost Management and Reporting

Cost Report (Cost Summary Data Report 1921, 1921-5) and CWBS Dictionary

EXORD 009-20

The Contractor shall ensure that all cloud-related costs/price, which include but are not limited to: cost of modernization and migration of applications, Cloud Service Provider (CSP) costs, and cloud Operations and Maintenance (O&M) costs/prices are clearly identified and available for government reporting purposes.

Required

Required

Required

Required

Yes

No

No

Cost/price Report

Common and Data Services

Service Name

Service Description

1

Operating System Vulnerability Scanning

Operating System vulnerability scanning service (e.g., Assured Compliance Assessment Solution [ACAS])

2

IP Address Management

Planning, tracking, and managing the Internet Protocol (IP) address space used in the cloud environment

3

Virtual Datacenter Security Stack (VDSS)

All VDSS components and services (e.g. Web Application Firewall, Reverse Proxy, etc.) listed in DISA cloud SRG and SCCA documents, and DoD enclave protection firewall

4

Key Management

PKI certificate signing, administration, and key management

5

Network Infrastructure Management and Monitoring

Monitor, manage, and alert on events related to network utilization and availability

6

DDos Protection Service

Protects applications in the cloud environment from Distributed Denial of Service (DDoS) attacks

7

DNS Hosting, Caching, Recursion

DNS lookup for cloud-based applications and hierarchical DNS management delegated to mission owners

8

PKI Cert Validation

Online Certificate Status Protocol (OCSP) responder to validate if PKI certificates are valid or revoked

9

Network Time

Cybersecurity mandated accurate time source for DoD systems hosted in the cloud

10

Patch Management

Patch repositories for common operating system patch files.

11

SMTP Relay

Simple Mail Transport Protocol (SMTP) based email relay

12

Enterprise Directory Services

Privileged administrative user and non-person entity Identity, Credential, and Access Management (ICAM) (e.g., Active Directory [AD], Lightweight Directory Access Protocol [LDAP])

13

Federated Access Management

User Identity, Credential, and Access Management (ICAM) (e.g., EAMS-A, SAML Services)

14

Secure File Transfer Service (SFTP)

Securely transfer large files to the cloud environment

15

Notification Services

Alerting and notification (e.g., Short Message Service [SMS])

16

Endpoint Monitoring

Protects computing endpoints from malware and other cyber security threats (e.g., Host Based Security Service [HBSS])

17

Remote Privileged Access

Secure administrative access from the Internet or DODIN to DoD servers in secure cloud enclaves.

18

Centralized Logging/Auditing

Consolidated aggregation point for receiving and storing logs from systems and applications in the cloud environment

19

Security Information and Event Management (SIEM) and Log Analytics

Identifies and categorizes security related incidents and events

20

Data Dissemination Service

Accelerates and consolidates data for transfer utilizing secure network tunnels.

21

Code Repository

Code repository for source code configuration management to support a software factory

22

STIG Compliant Virtual Server Templates

A library which stores DISA Security Technical Implementation Guide (STIG) compliant virtual machine template images

23

License/Software Management

Operating System (OS) level license management

24

Asset Management Services

Discover and track assets such as resources, licensed software, etc. within the cloud environment

25

Cross Domain Solution (CDS)

Automatically move appropriately vetted files between security classification levels

26

CSSP Services

Standardized tools & processes to meet cloud cyber security requirements; primarily provided by C5ISR to cArmy tenants. Collaboration with cArmy cloud services ops team

27

Continuous Integration / Continuous Delivery/Deployment (CI/CD) Tools

Tools to enable the CI/CD pipeline (e.g., tools similar to the capabilities provided in DI2E.net)

28

Enterprise Data Catalog and Service Registry

Data and service listing for data and service management and automated data processing

29

Container Platform

Enabling container runtime services (e.g., container orchestration)

30

Budget and Cost Management

Provides cloud cost and budget information to mission owners

31

Resource Management Portal

Portal to manage compute and store resources

* Note - This listing is current as of 1 May 2020. The number of services is expected to increase as the Army cloud environment matures.

CLIN SLIN Descriptions

Cloud Migration, Hosting, and Managed Services Work Breakdown Structure Potential CLIN/SLIN) Descriptions (separately identified & priced) (aligned with PWS)

2.6.1 Cloud Migration Support

2.6.1.1 Migration Analysis: Price for assessment/detailed analysis of the required effort to migrate to cloud environment

2.6.1.2 Reengineering: Price for adjusting code or configuration to ensure Operating Systems and Applications can be supported in target Cloud environment. Includes effort to convert OS to target platform, re-establish interface capabilities, user portal connectivity and access, as well as effort virtualize application or data storage

2.6.1.2.1 Refactoring: Price for re-architecting and recoding portions of the application to be compatible with cloud native frameworks/functionality. Includes, for instance, virtualization and conversion to x86 (Optional Detail)

2.6.1.2.2 Re-platforming: Price for efforts associated with changes to system software and middleware to adhere to the cloud environment target platform without changing applications core functionality (Optional Detail)

2.6.1.2.3 Re-hosting: Price for moving from one hosted environment to another. Includes effort to adjust system API/interfaces (Optional Detail)

2.6.1.3 Cybersecurity: Price for security/RMF to achieve cybersecurity compliance and ATO

2.6.1.4 Application or System Migration: Priced effort to move or install applications, systems or other components

2.6.1.5 Data Migration: Priced Effort to migrate/converge data/databases

2.6.1.6 Initial Provisioning/Configuration: Priced Effort to provision operating environments and configure platform management software

2.6.1.7 Cloud Access Point Fee: Priced Effort to establish Cloud Access Point connection to DISA Network (DoD Network Connectivity)

2.6.1.8 Test and Evaluation: Priced Effort to complete testing to ensure performance criteria can be met

2.6.2 Recurring Hosting

2.6.2.1 Hosting Infrastructure

2.6.2.1.1 Compute: Price for computing resources (vCPU/core, RAM) consumed by operating environments

2.6.2.1.2 Database: Price for database operating environments

2.6.2.1.3 Data Transfer (In/Out): Price data transfer in/out of the of the network or sent to the systems

2.6.2.1.4 Storage/Backup Storage: Price for cloud storage or back up storage

2.6.2.2 Software Licenses: Price for software licenses that are provided by the cloud provider. This can include, for example, Oracle licenses provided as a part of the cloud operating environment. This does not include, for example, application licenses provided by other vendors that are not part of the cloud offering

2.6.2.3 Cloud Management Licenses: Price for software products including middleware that monitor and manage cloud environment

2.6.2.4 Cloud Services

2.6.2.4.1 Application Management Services (AMS): Price for functional application support (SAP/Oracle applications)

2.6.2.4.2 Cloud Managed Support Services

2.6.2.4.2.1 Monitoring/Server Administration: Priced Effort to monitor and manage servers and operating system

2.6.2.4.2.2 Database Management/Administration: Priced Effort to monitor and manage application databases, database administration, and SAP HANA support

2.6.2.4.2.3 Security/Information Assurance: Priced Effort associated with ongoing information assurance, security compliance, and Risk Management Framework

2.6.2.4.2.4 Software Patching and Deployment: Priced Effort associated with implementing operating system software patches as well as database, middleware, and application patches; generally applicable under PaaS

2.6.2.4.2.5 Program Management: Price for project management and oversight. Also includes the preparation of management CDRLs

2.6.2.4.2.6 Training: Price to develop education/training materials or conduct training on cloud related principals and techniques

2.6.2.4.2.7 Transition: Price to develop a transition plan, support a transition to another MSP provider, or support a transition to another cloud or an on-premise solution

2.6.2.4.2.8 Continuous Improvement

2.6.2.4.2.8.1 Process Automation: Effort to develop and maintain tools and scripts used to improve deployment, elasticity, and cloud management

2.6.2.4.2.8.2 Architecture Reengineering: Effort, usually provided under managed services, to optimize cloud infrastructure