Combine Solicitation – Financial Statement Audit & Federal Information Security Management Act of 2002 Evaluation

Notice Type: Combine Solicitation

Posted Date: 12-MAY-14

Office Address: U.S. Commission on Civil Rights; 624 Ninth Street, NW, Suite 550 Washington DC 20425

Subject: Financial Statement Audit & Federal Information Security Management Act of 2002 Evaluation

Classification Code: R - Professional, administrative, and management support services

Solicitation Number: CCR-14-0001

Contact: Pamela A. Dunston, Chief, ASCD, Phone 202-376-8105, Email [email protected] - John Ratcliffe, Chief, BFD, Email [email protected]

Setaside: N/AN/A

Place of Performance (address): U.S. Commission on Civil Rights1331 Pennsylvania Avenue, NW Suite 1150 Washington, DC

Place of Performance (zipcode): 20425

Place of Performance Country: US

Description: U.S. Commission on Civil Rights

U.S. Commission on Civil Rights

U.S. Commission on Civil Rights

Due to space limitations, the complete Solicitation is not posted here. The complete Solicitation may be requested via email to mailto:[email protected]. Please reference the Solicitation Number, CCR-14-0001, in your email.

This is a combined synopsis/solicitation for commercial services prepared in accordance with the format in FAR Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; quotes are being requested and a written solicitation will not be issued.

Solicitation CCR-14-0001 is issued by the U.S. Commission on Civil Rights for Financial Statement Audit (FSA) and Financial Information Security Management Act (FISMA) Evaluation. This solicitation is not a small business set aside and will be awarded as a firm fixed-price contract.

Scope of Work

Financial Statement Audit (FSA)

The Contractor shall conduct an audit of Commission's annual financial statements. The audit shall be performed in accordance with generally accepted government auditing standards (GAGAS), as specified in the most current version of the Government Accountability Office's (GAO) Government Auditing Standards, and the provisions of OMB Bulletin No. 14-02, Audit Requirements for Federal Financial Statements, as amended. In conducting the audit, the methodology used should be consistent with the most current version of the GAO/President's Council on Integrity and Efficiency (PCIE) Financial Audit Manual (FAM). At a minimum, the Contractor shall provide documentation, prior to beginning the work, which demonstrates how the Contractor's approach addresses the elements of the FAM.

With respect to Required Supplementary Information (RSI) and Required Supplementary Stewardship Information (RSSI), the Contractor shall assess whether the information and its presentation is materially consistent with the information in the basic statements. In performing this assessment the contractor shall perform procedures consistent with AU [Section] 558, Required Supplementary Information.

With respect to internal controls, the Contractor shall obtain an understanding of the components of internal control and assess the level of control risk relevant to the assertions embodied in the classes of transactions, account balances, and disclosure component of the financial statements. Such controls include relevant information technology (IT) general and application controls and controls relating to intra-entity and intra-governmental transactions and balances.

To assess the effectiveness of the IT control environment, the Contractor shall, at a minimum, perform procedures over the following GAO Federal Information System Controls Audit Manual (FISCAM) general control areas:

Security management

Access controls

Configuration management

Segregation of duties

Contingency planning

With respect to compliance with applicable laws and regulations, the Contractor shall perform tests of compliance with laws and regulations, including laws governing the use of budget authority laws, regulations, and government-wide policies identified by OMB, and any other laws and regulations that could have a direct and material effect on the basic statements.

Planning

The Contractor shall plan the audit work consistent with the FAM Section 200. The Contractor shall develop ways to obtain the evidence necessary to report on Commission's financial statements, internal controls, and compliance with laws and regulations. The Contractor shall receive approval from the Contracting Officer's Representative (COR) prior to the implementation of any changes to the scope of the audit. The Contractor shall conduct an entrance conference with key Commission officials for the financial statement audit. The entrance conference shall occur prior to the commencement of work. The Contractor shall coordinate with the COR to schedule these meetings.

Testing

The Contractor shall complete the following in accordance with FAM Sections 300 and 400:

determine the nature, timing, and extent of audit procedures

document the results of audit procedures performed

document conclusions reached

Audit procedures shall encompass tests of internal controls, tests of detail transactions and balances (substantive testing), and tests of compliance of laws and regulations. As necessary and based on testing performed, the Contractor shall develop findings and recommendations, as described in the FAM Section 580 and generally accepted government-auditing standards.

Reporting

The Contractor shall complete audit procedures, evaluate results and conclusions reached, and report results to the COR and Commission management consistent with the FAM Section 500. The Contractor shall conduct an exit conference with key Commission officials for the financial statement audit. The exit conference shall occur upon completion of the audit. The Contractor shall coordinate with the COR to schedule these meetings. The Contractor shall conduct a lessons learned meeting with the appropriate Commission management representatives and the COR to discuss and document the processes that were effective and those that could be improved during the subsequent year's contract performance.

Federal Information Security Management Act (FISMA) Evaluation

The Contractor shall develop an evaluation program that shall include the objectives of each program and steps that will be taken to accomplish the objectives, including the nature, timing and extent of evaluation procedures. The evaluation program shall conform to applicable OMB/DHS guidance. The evaluation program shall encompass the Program Areas referenced in SOW Section 2.2. The Contractor shall conduct an entrance conference with key Commission officials for the FISMA evaluation. The entrance conference shall occur prior to the commencement of work. The Contractor shall coordinate with the ACOR to schedule these meetings.

Evaluation of USCCR's Information Security Posture

The Contractor shall conduct an evaluation of Commission's compliance with FISMA and related OMB, DHS, and OIG requirements, which includes the following Overall Security Management and Program Areas of information security management:

Overall Security Management:

Development of Detailed IT Policies and Procedures

A Comprehensive Risk Management Process

A Comprehensive Certification and Accreditation Process

Effective Oversight of Contractors and Contractor Systems

An Agency-Wide Privacy Program

Effective Configuration Management Policies and Procedures

Program Areas:

Continuous monitoring management

Configuration management

Identity and access management

Incident response and reporting

Risk management

Security training

Plan of action and milestones

Remote access management

Contingency planning

Contractor systems

Security capital planning

Systems inventory

The FISMA evaluation shall be conducted in accordance with the Council of Inspectors General on Integrity and Efficiency (CIGIE) Quality Standards for Inspections and Evaluations issued January 2012, and subsequent revisions, with the general standards of GAO's Government Auditing Standards, and with applicable annual instructions from OMB/DHS. The Contractor shall consult with the ACOR in the selection of systems to be reviewed. Results of the evaluation shall be documented in a report in accordance with FISMA and applicable reporting guidance. The report shall include responses to the questionnaire provided by OMB/DHS as part of the FISMA instructions. Findings disclosed in the report shall include recommendations for corrective action.

FISMA Evaluation Report

The Contractor shall perform evaluation procedures. The Contractor shall document results of testing and conclusions reached in accordance with FISMA, CIGIE Quality Standards on Inspection and Evaluation, and applicable annual instructions from OMB, DHS, and OIG. The report shall include responses to the questionnaire provided by OMB/DHS as part of the FISMA instructions. The Contractor shall develop findings that describe the condition, cause, criteria, effect and recommendation based on testing performed.

OMB/DHS Reporting

The Contractor shall develop a draft FISMA evaluation report that includes the results of evaluation procedures and complies with applicable OMB/DHS guidance. This report is subject to ACOR approval prior to finalizing the form and content. The report shall include a section that describes findings identified during performance of FISMA evaluation procedures, including recommendations for management. The Contractor shall conduct an exit conference with key Commission officials for the FISMA evaluation. The exit conference shall occur upon completion of the evaluation. The Contractor shall coordinate with the ACOR to schedule these meetings. The Contractor shall conduct a lessons learned meeting with the appropriate Commission management representatives and ACOR to discuss and document the processes that were effective and those that could be improved during the subsequent year's contract performance.

The Commission is a micro-agency and must file reports via Cyberscope utilizing the metrics for micro-agencies. The draft reports for Cyberscope should consist of three separate reports: one utilizing the IG Metrics, one utilizing the CIO metrics and one utilizing the Privacy metrics..

Conduct Network Scan

The Contractor shall complete a Network Scan.

Deliverables

! No. ! Title ! Ref. !

! 001 ! Detailed Audit Planning Documents2 ! 2.1.1 !

! 002 ! Audit Programs ! 2.1.1 !

! 003 ! Internal Control Phase Documents ! 2.1.2 !

! 004 ! Interim Audit Documentation ! 2.1.2 !

! 005 ! Final Audit Documentation ! 2.1.2 !

! 006 ! Audit Reports (Draft and Final) ! 2.1.3 !

! 007 ! Management Letter Financial Statement Audit ! 2.1.3 !

! 008 ! FISMA Evaluation Program ! 2.2.1 !

! 009 ! FISMA Evaluation Documentation ! 2.2.2 !

! 010 ! FISMA Evaluation Final ! 2.2.3 !

! 011 ! Network Scan ! 2.2.4 !

! 012 ! Firm Memorandum for Independence and Quality Control, Peer Review Report and PCAOB Inspection Report ! 2.3.2.2 !

! 013 ! Statements of Independence and GAOCPE Compliance ! 2.3.2.2, 2.3.2.3 !

! 014 ! Non-Disclosure Agreements ! 2.3.2.4 !

! 015 ! Monthly Progress Reports ! 2.3.3 !

! 016 ! Technical Status Meeting Agendas ! 2.3.4 !

!

The period of performance for this task shall be from the date of award through December 15, 2014, with two 30-day extensions, if needed and four option years.

Offers will be evaluated in accordance with FAR 52-212.2 "Evaluation - Commercial Items, which is incorporated into this solicitation with addendum to paragraph (a) as follows: the following factors shall be used to evaluate offers: (1) Technical Proposal, (2) past performance, and (3) price. The Government will make award to the responsible offeror whose offer conforms to the requirements herein and represents the best value to the Government. Contractor qualifications are more important than price.

Technical Proposal: The quote shall include (1) the technical approach, (2) qualifications of key personnel and other proposed staff, and (3) contractor's qualifications. The quote must provide resumes of all key personnel and other proposed staff. The resumes should indicate the proposed staff's knowledge and experience with conducting Financial Statement and FISMA audits on small Federal agencies. The quote must include the contractor's experience with conducting Financial Statement and FISMA audits on small Federal agencies.

Past performance: The quote shall include a minimum of three (3) references with a brief description of previous projects of similar size and complexity. Each example of past performance shall include: contract number; contract description; contract amount and type of contract; period of performance; name, address, Email address, telephone number, fax number (if Govt contract, provide the name, telephone number of contracting officer and the COR or if commercial, provide the technical and contracting equivalent); size and complexity of the project; and whether all options were exercised.

Pricing: The quote shall include the following information: (1) a breakdown of labor categories, fully burdened hourly rates for all proposed personnel under each effort as outlined in the Statement of Work, (2) a breakdown of the number of proposed hours in sufficient detail to allow the Government a good understanding of your planned technical approach and the ability to review the consistency between the planned technical approach and the proposed pricing. Appendex B should be used to provide a breakdown and summary of the price proposal quote.

The proposal shall not exceed 25 pages - resumes excluded.

The following Federal Acquisition Regulation (FAR) provisions and clauses in effect through FAC 2005-03, dated April 2005 are applicable to this procurement: 52.212-1, Instructions To Offerors-Commercial Items; 52-212-4 Contract Terms and Conditions-Commercial Items; 52.212-5 Contract Terms and Conditions Required to Implement Statues or Executive Orders-Commercial Items including subparagraphs (b) (1), (17), (18), and (19), which are applicable to commercial services. 52.227-17 Rights in Data-Special Works and the Key Personnel Clause is applicable as well. The offeror shall submit with their quote a completed copy of FAR 52.212-3, Offeror Representations and Certifications-Commercial Items. The award will be based on the best value to the Government, price and other factors included. Submit three (3) copies of your quotes to

Pamela Dunston, U.S. Commission on Civil Rights, Acquisition Office, Room 1139, 1331 Pennsylvania, NW., Suite 1150, Washington, DC 20425. Quotes will be accepted by Email, or hand-delivered. Proposals are due by Wednesday, June 11, 2014 at 12:00 Noon. The Government shall not pay for any costs associated with the preparation of the proposal.

All RFQs received in mailto:[email protected] must be received by the deadline specified on http://www.usccr.gov/ [http://www.usccr.gov]. USCCR accepts no liability for the problems that are encountered by your email system. Please check for any viruses or security problems with your system before sending an email to this account. We will not accept any RFQs after the posted deadline.

Point of contact: Pamela Dunston

Place of Performance: Washington, DC

Link/URL: https://www.fbo.gov/spg/USCCR/USCCR/USCCR1/CCR-14-0001/listing.html