Defense Procurement and Acquisition Policy

Clause Logic Service (CLS) Interface Control Document & Interconnection Security Agreement

March 12, 2018

Version: 1.0

Table of Contents1. Introduction...............................................................................................3

1.1. Purpose.............................................................................................31.2. Scope.................................................................................................31.3. Functional Requirement...................................................................3

2. System Description...................................................................................42.1. System Functionality.........................................................................42.2. CLS Application.................................................................................4

2.2.1. System Description..............................................................42.2.2. Hardware.............................................................................52.2.3. Software...............................................................................5

2.3. WAWF e-Business Suite Applications...............................................52.3.1. System Description..............................................................52.3.2. Hardware.............................................................................72.3.3. Software...............................................................................7

2.4. CWS (This section to be completed by the CWS Team).................82.4.1. System Description..............................................................82.4.2. Hardware.............................................................................82.4.3. Software...............................................................................8

3. Information Assurance..............................................................................83.1. Security.............................................................................................8

3.1.1. System Names, Owners and Computing Centers................83.1.2. Accreditation Status............................................................83.1.3. Information Type.................................................................93.1.4. Authorization Officials.........................................................93.1.5. Security Categorization and Information Classification......93.1.6. Assertions............................................................................93.1.7. Protection Levels...............................................................10

3.2. Interconnection Graphic.................................................................113.3. SSO Authentication.........................................................................12

3.3.1. CLS UI Direct Web Access.................................................123.3.2. CLS UI CWS Web Access...................................................14

3.4. CLS API Direct Access....................................................................163.5. Privacy.............................................................................................16

4. Regular Processing..................................................................................164.1. Schedule Variance..........................................................................164.2. Expected Volume............................................................................17

4.2.1. Regular..............................................................................17

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement i

4.2.2. Seasonal.............................................................................174.2.3. System Growth and Expansion..........................................17

4.3. Recurring and Unexpected Maintenance Notification...................184.3.1. CWS (This section to be completed by CWS Team)...184.3.2. CLS.....................................................................................184.3.3. WAWF e-Business Suite.....................................................18

4.4. Traceability Requirements..............................................................184.5. Validation Considerations...............................................................194.6. Error Handling................................................................................19

5. CWS.........................................................................................................206. WAWF e-Business Suite POC...................................................................207. CLS POC..................................................................................................208. Notification of ISA Changes.....................................................................22

8.1. General............................................................................................228.2. Regulatory changes.........................................................................228.3. Functional, technical, or procedural changes................................228.4. Duration..........................................................................................228.5. Provisions for Review and Changes................................................22

9. Signatures...............................................................................................239.1. Interconnection Security Agreement..............................................23

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement ii

1. Introduction1.1. Purpose

This Interface Control Document (ICD) between Clause Logic Service (CLS) and a Contract Writing System (CWS) establishes the data interconnection relationship and requirements to ensure accurate and timely data exchanges. This ICD will also document the secure transfer of data between systems as per the Information Security guidelines presented in the current versions of the Department of Defense Instruction (DoDI) 8500.1, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, (NIST) Special Publication (SP) 800-53. This Agreement is a commitment to objectives and requirements of CWS and CLS projects; it contains the necessary details to evaluate the full requirements of a CWS and CLS to develop, implement, and sustain these interconnections.

As written in the Defense Procurement and Acquisition Policy (DPAP) Strategic Plan for Defense Wide Procurement Capabilities, the functional strategy for DoD in the contract writing area envisions leverage of the information technology environment, and DoD Contract Writing Systems (CWSs) used for defense wide procurement capabilities to ensure the use of functional and electronic exchange data standards (and associated business rules), enterprise services, common test criteria and internal controls for validation. Seamless use of data from authoritative sources is critical. CLS is a key part of that strategy and this document contains the necessary information for agencies to create the appropriate interfaces.

1.2. ScopeThis ICD chronicles interconnection arrangements and information security features in place to protect the confidentiality, integrity, and availability of the data and the systems being interconnected for each party of this agreement. This ICD governs the management, operations, maintenance, and valid use of the connection; specifically defining the purpose for the connection. In addition, this agreement formalizes the system level roles and responsibilities in accordance with applicable Department of Defense (DoD) requirements and directives. The organizations directly involved in the management, operations, and maintenance of these systems are:

CLS Program Management Office (PMO) CWS (PMO) WAWF Program Management Office (PMO)

This ICD authorizes mutual permission to connect both parties and establishes a commitment to protect data exchanged between the networks or processed and stored on systems.

1.3. Functional RequirementThis interface provides for a connection to the CLS User Interface (UI) in order to support Agency/Service user’s retrieval of FAR and DFARS clauses.

The CWS user will be able to access through two approaches.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 3

First, users can access CLS through the DLA Wide Area Workflow (WAWF) e-Business Suite. This approach requires the user to be registered in the WAWF prior to being passed to CLS, which relies on WAWF to authenticate the user based on a predefined role assigned to the user. If authorized, a user is able to request additional CLS roles in WAWF.

Second, a user can access CLS through their CWS via a link established by CWS PMO. CLS will rely on CWS to authenticate and authorize the user on behalf of CLS. All network communication between CWS and CLS will adhere to specification outlined in section 3. Information Assurance of this document. The CWS PMO will establish the appropriate code in their system to properly utilize the mechanisms stipulated in that section.

Either approach will provide the user with role based access and use of the CLS functionality.

2. System Description2.1. System Functionality

CLS is a web service designed to aid in the procurement process within the Department of Defense and other federal agencies. The primary function of this service is to allow for consistent inclusion of provisions and clauses into procurement documents. The goal of CLS is to improve the integrity of contracts developed by providing a centralized, web based, intelligent business logic clause-generating service for the contracting workforce.

CLS will leverage the Single Sign-On (SSO) capabilities of the WAWF e-Business Suite via a web browser graphical user interface and via a CWS implementing the system-to-system SSO. In any case, rendering of the clauses and their insertion into the contract action remain the provenance of the contracting officer.

The CLS web service is processed at the US Army’s Acquisition, Logistics and Technology Enterprise System and Services (ALTESS) Data Center, which makes use of several enterprise ALTESS service offerings. It resides within the ALTESS Managed Virtual Environment and runs on a Linux Red Hat platform. The data repository is provided by an Oracle database managed within the ALTESS ‘Shared Oracle Environment’.

CLS makes use of JAVA, JSON and XML to interface with the end user and CWS. DLA Transaction Services (DLATS) operate the CLS Application Programming Interface (API) to provide the business rules functionality. The system chooses provisions and clauses using a standard set of system logic rules for the current Federal Acquisition Regulation Supplement (FARS), the Defense Federal Acquisition Regulation Supplement (DFARS), and DFARS Procedures, Guidance, and Information (PGI) 201.301.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 4

2.2. CLS Application2.2.1. System DescriptionThe current CLS application consists of a web based application and an API that deliver a single solution for the selection of clauses by providing a centralized, web based, intelligent business logic clause-generating service for DoD procurement professionals. The CLS application includes:

CLS User Interface (UI) CLS Application Programming Interface (API)

CLS User Interface. CLS UI is an interactive web application developed by DPAP specifically for DoD employees to obtain consistent selection of provisions and clauses for inclusion in procurement documents.

CLS Application Programming Interface. CLS API is a web service that provides a standard set of business rules to select a consistent set of provisions and clauses for inclusion in procurement documents through the CLS UI and a system to system interface for the legacy DLA eProcurement CWS using a standard XML request/response method.

2.2.2. HardwareThe CLS web service is hosted at the ALTESS Data Center. Within ALTESS CLS makes use of several enterprise ALTESS service offerings. CLS resides within the ALTESS Managed Virtual Environment and runs on a Linux Red Hat platform. The data repository is provided by an Oracle database managed within the ALTESS ‘Shared Oracle Environment’.

The CLS API is hosted and operated at DLA Transaction Services within the DAAS Managed Virtual Environment and runs on a HP platform, running the Ab Initio Rules engine that provides the business selection and decision logic to select provisions and clauses via a webs service interface using a standard CLS XML request/response message. The CLS API currently interfaces with the CLS UI at ALTESS and the DLA eProcurement CWS.

2.2.3. SoftwareCLS makes use of JAVA, JSON and XML to interface with end users and CWS. DLA Transaction Services operates the CLS API which uses the Ab Initio Rules engine used by legacy DLA CWS and CLS UI.

2.3. WAWF e-Business Suite Applications 2.3.1.System DescriptionThe current WAWF e-Business Suite environment consists of multiple web-based applications and a training site. The WAWF e-Business Suite system is the single face delivering access to a number of business applications and capabilities that are managed independently. This Family of Systems (FoS) operated within the WAWF e-Business Suite presently includes:

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 5

Invoicing, Receipt, Acceptance, and Property Transfer (iRAPT) iRAPT Mobile Apps Item Unique Identifier (IUID) Registry Department of Defense Contracting Officer Representative Tracking (CORT)

Tool Electronic Military Interdepartmental Purchase Request (eMIPR) Electronic Document Access (EDA) Contract Closeout (CCO) National Industrial Security Program (NISP) Contract Classification System

(NCCS) Portal Single Sign On (SSO) supporting Service Component and Agency

Enterprise Resource Planning (ERP) implementations, and the Joint Contingency and Expeditionary Services (JCXS)

Data Lake Single Sign On (SSO) Management Reporting System (MRS) myInvoice Contract Deficiency Reporting (CDR) Contracting Communication Module (CCM)

2.3.1.1. Invoicing, Receipt, Acceptance, and Property Transfer (iRAPT). The Department of Defense (DOD) enterprise system for secure electronic submission, acceptance, and processing of invoices. It is mandated for use by all DOD Services and Agencies for electronic invoicing by DFARS 252.232-7003. iRAPT processes over 600,000 documents per month worth $28B per month and saves DOD millions of dollars annually in processing cost and avoided interest. iRAPT brings together the Invoice & the Receiving Report from iRAPT, and the contract from EDA to provide the entitlement systems with the ability to perform the three-way match needed to authorize payment. iRAPT is also the Enterprise data entry point for IUID and Passive Radio Frequency Identification (RFID) data for new acquisition items, the source of receipt and acceptance data for service component and agency Enterprise Resource Planning (ERPs) and is central for the Business Enterprise Architecture (BEA) enterprise solutions for Standard Financial Information Structure (SFIS) and Intra Governmental Transfer (IGT). The Property module of iRAPT is the Enterprise data entry point for the Paperless Government Furnished Property (GFP).

2.3.1.2. Item Unique Identification (IUID)Registry application was reengineered and integrated into the WAWF e-Business Suite and deployed to production in October of 2014. The IUID Registry is a Department of Defense application that enables easy access to information about DOD possessions that makes acquisition, repair, and deployment of items faster and more efficient.

2.3.1.3. myInvoicemyInvoice is an interactive web application developed by Defense Finance Accounting Services (DFAS) specifically for Contractors/Contractors and Government/Military employees to obtain invoice status, for invoices submitted through iRAPT or by other means.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 6

2.3.1.4. Contracting Officer’s Representative Tracking (CORT) Tool. A web-based management capability for the designation and maintenance of Contracting Officer’s Representatives (CORs) and reports by the CORs. This Tool allows prospective CORs, COR Supervisors and Contracting Officers and Contract Specialists to electronically process nominations of CORs for one or multiple contracts. It provides built in workflows for the nomination process to include email alerts/status reminders for monthly status report due-ins and delinquencies. The CORT Tool provides contracting personnel and requiring activities the means to track and manage COR designations across multiple contracts across DOD.

2.3.1.5. Electronic Military Interdepartmental Purchase Request (eMIPR). eMIPR supports direct-cite MIPR processing. Using the WAWF e-Business Suite, these MIPRs are created and submitted in external activities’ systems or on the web by Requesting Activities, reviewed and funded, accepted or rejected by Servicing Activities, made available to Requesting Activities after acceptance/rejection, and forwarded on to EDA for storage and to contracting offices for action after acceptance.

2.3.1.6. Electronic Document Access (EDA) EDA is a DOD Enterprise-wide system that combines Internet and Web technologies with electronic document management to provide secure online, electronic storage and retrieval of procurement information and documents across the DOD. EDA provides secure web-based access to contractual and procurement information used by the DOD services and agencies to streamline business processes. EDA provides users with an efficient method for storing, sharing, and retrieving official DOD contract data and documents. EDA facilitates increased accuracy of receipt and acceptance data by passing data electronically from the Standard Procurement System (SPS), and other DOD and Federal contract writing systems, to the WAWF e-Business Suite allowing for more efficient Contractor payment. DOD Enterprise Transition Plan Volume I designates EDA as an enabling program for the Common Supplier Engagement Capabilities. Benefits of the EDA system include aiding the reduction of unmatched disbursements, reducing paper consumption, and increasing convenience to contract specialists and other members of the user community.

2.3.1.7. Contract Closeout (CCO)The CCO application was created and integrated into the WAWF e-Business Suite in July of 2015. Using data from the iRAPT, EDA, and myInvoice applications, the Contract Closeout application performs automated closeout and distributes the notifications.

2.3.1.8. National Industrial Security Program (NISP) Contract Classification System (NCCS)

The NCCS was created and integrated into the WAWF e-Business Suite in October of 2014. It was a coordinated application project between OUSD (ATL) and DSS.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 7

The application provides the ability for users to populate data onto form DD254 on the Web, and the DD254 is routed to DSS offices for analysis, in addition to Component contract writing systems and the Electronic Document Access (EDA) system based on the appropriate procurement instrument the DD 254 is associated with.

2.3.1.9. Portal Single Sign On (SSO)The SSO provides DOD suppliers with a single point of entry to enable appropriate business transactions and data visibility as the Department pilots its efforts to increase efficiencies in the Procure to Pay (P2P) business process utilizing the Enterprise Resource Planning (ERP) Supplier Portal Commercial Off-the-Shelf (COTS) products to the maximum extent possible.

2.3.1.10. WAWF e-Business Suite Management Reporting System (MRS)The MRS is a database repository of all the data from all the applications in the WAWF e-Business Suite and gives users the capability to run Business Intelligence Reports on the data.

Web Based Training is provided for each application in the WAWF E-BUSINESS Suite. This consists of information about each application along with training videos with audio.

2.3.1.11. Contract Deficiency Reporting (CDR)The CDR system permits the reporting and subsequent resolution of issues associated with contract deficiencies.

2.3.1.12. Contracting Communication Module (CCM) CCM provides a secure repository for attachments and two-way communications for certain users in the iRAPT and CORT applications. The following are the types of interconnections with the WAWF e-Business Suite and other applications:

Secure File Transfer Protocol (SFTP) Secure Database link SSL\PKI over TCP

Please Choose the WAWF e-Business Suite Application (s) Interconnection requested:

iRAPT IUID Registry CORT eMIPR EDA Contract Close Out NCCS SSO

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 8

MRS myInvoice WBT CDR CCM

2.3.2.HardwareThe WAWF e-Business Suite uses two SPARC M10 servers in an Oracle Real Cluster Application (RAC) environment for databases; there are 7 SPARC T4-4 LDOMs used as the front-end servers (4 for web server; 2 for support server; 1 as a portal server).

There are two SafeNet Luna SA Hardware Signing Modules (clustered) for electronic signing of the documents.

The EDA system uses a combination of COTS hardware. Database and Document Hardware: Hewlett Packard OS: HP-UX OS Version: 11.31 Front End: Sun OS: Solaris OS Version: 10

2.3.3.SoftwareThe applications in the WAWF e-Business Suite are deployed as Java EE applications operating in an IBM WebSphere Application Server Network Deployment (WAS-ND) environment with an Oracle 12C back-end database operating on hardened UNIX operating systems configured using a dedicated Online Certificate Status Protocol (OCSP) responder aggregate certificate revocation list (CRL) from DOD PKICAs, DOD-managed ECAs, and DOD-approved and JITC certified external partner PKIs.

EDA utilizes a COTS Relational Database Management System (RDBMS) to maintain and control schema, database, and table integrity. The RDBMS engine supporting EDA, Release 8.4, is Oracle 11g Enterprise Edition Release 11.2.0.2 – 64 bit. Stored within the database is an installation of Oracle Application Express (APEX) 4.2.1.00.08.

2.4. CWS (This section to be completed by the CWS Team)

2.4.1. System Description2.4.2. Hardware2.4.3. Software

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 9

3. Information Assurance3.1. Security

3.1.1. System Names, Owners and Computing Centers CWS DPAP is the functional and information owner of CLS. The US Army, Project

Director ALTESS, hosts the application in a government data center in Radford, Virginia. A Service Level Agreement (SLA) governs all activities related to hosting and managing the application, as-well-as details the roles, and responsibilities between DPAP and ALTESS.

DLA is the functional owner of Wide Area Workflow (WAWF) e-Business Suite. For purpose of this ICD only the WAWF SSO feature is relevant. While WAWF has many other features, they are independent of CLS. IBM hosts WAWF in the Allegany Ballistics Laboratory. A Service Level Agreement (SLA) governs all activities related to hosting and managing the application, as-well-as details the roles, and responsibilities between WAWF and IBM.

3.1.2. Accreditation Status CWS Accreditation Status valid thru {date} (check one): ATO ; IATO ; IATT

; DATO CLS Accreditation Status valid thru July 11, 2018: (check one): ATO ; IATO

; IATT ; DATO WAWF Accreditation Status valid thru May 17, 2018: (check one): ATO ; IATO

; IATT ; DATO

3.1.3. Information Type The type of information being processed in this interconnection agreement is (check all that apply):PII HIPPA FOUO Financial Data Other (explain) User validation data – DoDID, and contract clauses.

3.1.4. Authorization Officials CWS: (This section to be completed by the CWS Team) CLS: Kathy Cutler, 703-767-2100, Kathy.Cutler@dla.mil WAWF: Kathy Cutler, 703-767-2100, Kathy.Cutler@dla.mil

3.1.5. Security Categorization and Information Classification CWS Categorization and Information Classification:

High Moderate or Low

CLS is Security Categorization and Information Classification:

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 10

High Moderate or Low

WAWF is Security Categorization and Information Classification: High Moderate or Low

3.1.6. AssertionsAppropriate security measures will be established between a CWS and CLS. These measures will involve appointing an Information Owner/Functional Information Owner (FIO) and a Terminal Area Security Officer (TASO), which will be representatives from CLS.

This agreement creates a trust relationship between CWS and CLS. As such, CLS will honor the CWS authenticated user account prior to allowing connection to CLS. User-specific logon data is checked in the CWS trusted system and will not be revivified by CLS. Thus, the CWS will only pass a user to CLS that is logged into the CWS, which will assign each user to a role specified by CLS. The authentication process of the CWS must be compliant with DoD regulations. The CWS will pass through to CLS controls aligned with user validation, account maintenance, account monitoring, and security training as inheritable. The trust relationship will be built upon the OAuth and OpenID standards. CLS has implemented the OAuth and OpenID 2.0 version. CWS will need to go through a registration process before connection to CLS via OAuth and OpenID will be permitted. During the registration process the CWS will be provided with;

Client ID – client identifier issued to CWS during the registration process Client Secret – shared secret between CWS and CLS CLS URL/URI (and redirects)

Format of communication strings (JSON) CLS will not accept a connection from unregistered clients. CWS will provide server details during the registration process;

Server name (host name) Server FQDM URL/URI (and any redirects)

While each user is not revalidated, it is essential to verify the user is connecting from the CWS. Therefore, it will be verified with each connection. Client authentication (CWS validation) will occur over secure network communications. CLS network communications are via HTTPS (port 443) using DoD approved methods. The Client ID and Client Secret will always be encrypted in all communication streams (currently via TLS). CLS utilizes a roles based access control (RBAC) methodology; access will be provide based on user roles. The CWS will assign each user to a specific role commensurate with the user’s duties. It will provide a user name and DoDID in the communication string during the connection to facilitate reconnecting the user

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 11

with stored activity. Users requiring elevated access to privileged functions as defined by CLS, will be required to request that role in WAWF.Upon accepting the connection, the user is issued a token (a sting denoting a specific role and having a limited lifetime for connection). Access tokens are issued by the server supporting CLS.CWS will support an idle connection timeout mechanism to protect against replay attacks. The timeout mechanism is to be compliant with DoD regulations. If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, CLS will reject the connection.CLS will maintain audit logs of successful and unsuccessful connections.

3.1.7. Protection LevelsThis document is intended to comply with the SI-10: Information Input Validation and SI-11: Error Handling National Institute of Standards and Technology (NIST) 800-53r4 controls, as well as the corresponding Federal Information System Controls Audit Manual (FISCAM) control objectives IN-1: Implement an Effective Interface Strategy and Design, and IN-2: Implement Effective Interface Control Procedures.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 12

3.2. Interconnection Graphic

CLS UI Direct Web Access

CLS UI CWS Web Access

CLS API Direct Access

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement

CLS UI

Sessi

WAWF SSO

User logged into WAWF SSO authenticated via smartcard, “https://wawf.eb.

CLS passes Token to user session

OAuth/OpenID Connect via JSON

CLS UI

Sessi

Local network CWS

User logged into local network authenticated via smartcard

CLS passes Token to user session

CLS API

XML Request/Response

DLA eProcurement

System to System certificate

OAuth/OpenID Connect via JSON

13

3.3. SSO Authentication3.3.1. CLS UI Direct Web Access CWS needn’t take any action to initiate this connection as this is between CLS and WAWF. CWS users will need to register in WAWF to avail themselves of this access.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 14

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 15

3.3.2. CLS UI CWS Web Access CWS must implement the following in their code to launch the connection.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 16

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 17

3.4. CLS API Direct Access

3.5. PrivacyCLS contains no PII. CLS relies on public release data from the FAR and DFARS. During a session, users can save their work for completion later.

4. Regular Processing CWS establishes connection with CLS via process defined in section 3 of this

ICD for each user connecting. WAWF e-Business Suite processes user requests to CLS. CLS uses the SSO features of WAWF to grant role appropriate access to users.

As such, processing is on demand. Given the worldwide placement of contracting personnel, requests for access processing will occur at all hours – 24x365.

4.1. Schedule Variance The CLS PMO shall notify the CWS PMO and DLA System’s Operations POC for WAWF of scheduled outages. Unplanned outages will be communicated to the PMO for CWS and DLA System’s Operations POC for WAWF as soon as the outage is detected.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 18

In the same manner, the CWS PMO will notify DLA System’s Operations POC and CLS PMO if there is any interruption in the CWS. This notification will also occur if CWS has advance notice of expected outages or interruptions.

4.2. Expected Volume 4.2.1. Regular

4.2.1.1. CWS (This section to be completed by CWS Team)

4.2.1.2. CLSNear-term transaction activity is in the range of 3,000 to 4,500, however the majority of these are occurring within CLS. Activity traversing WAWF to CLS is marginal – in the range of 50 – 200 daily. These numbers will grow as additional CWSs come on board – refer to 4.2.3.

4.2.2. Seasonal4.2.2.1. CWS (This section to be completed by CWS Team)

4.2.2.2. CLSThe nature of CLS business, provision and clause development for solicitations and contracts, is given to a relatively even distribution of activity throughout the year. Higher activities may occur as precursors of heightened military action.

4.2.2.3. WAWF e-Business SuiteDuring the last few weeks of both the end of the Fiscal Year and the End of the Calendar Year, the WAWF e-Business Suite system experiences a 15 – 20% surge in the volume of transactions processed. This is primarily due to the higher than normal volume of invoices prepared and processed for end of year payments to the vendors. In every month, the last weekend of the month is considered the “high volume” period due to end of month invoicing.

4.2.3.System Growth and Expansion4.2.3.1. CWS (This section to be completed by CWS Team)

4.2.3.2. CLSActivity will jump around the advent of new CWSs coming on-board. All new CWSs within DoD are required to utilize CLS1 while existing ones are highly encouraged to use it.. CLS is a new web application in 2017, just beginning the process of integrating the CWSs of DoD, thus, volumes will grow over time.

1 Memorandum “Implementation of Defense-Wide Contract Clause Logic Service”, dated April 23, 2013; refer to http://www.acq.osd.mil/dpap/policy/policyvault/USA001481-13-DPAP.pdf for copy.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 19

DLA – integrating 2018 - mostly automated interaction between the EBS CWS and CLS. This activity will not involve WAWF; however, DLA will have user need for direct interaction with CLS – ranging around 100 daily.

Army – integration 2018 – 2019 – assessment of volume by Army. Navy – targeting 2020 – volumes to be assessed. Fourth estate – future – volumes to be assessed.

4.2.3.3. WAWF e-Business SuiteThe WAWF e-Business Suite adds approximately 4000 new users every month.

The WAWF e-Business Suite creates well over 7.5 million documents per year, and processes over 27 billion dollars’ worth of invoices per month.

On a typical day the WAWF e-Business Suite generates 50,000 extracts.

Document Count Year

6135064 20105698335 20116070221 20126146129 20136091127 20146752492 20157012053 20164765090 2017*

* as of Aug 7, 2017

4.3. Recurring and Unexpected Maintenance Notification

4.3.1. CWS (This section to be completed by CWS Team)

4.3.2. CLS ALTESS performs routine maintenance to the servers and to update operating system (OS) vulnerabilities.

ALTESS manages the OS for CLS. The Test systems are patched and rebooted on the 3rd Thursday of every month at 10:00PM. The Production systems are patched and rebooted on the 4th Thursday of every month.

Also per the ALTESS/OSD service agreement (SLA), monthly maintenances (MMW) are performed during scheduled time periods. Monthly maintenance typically starts on the scheduled Friday at 1730 and ends on Sunday morning.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 20

4.3.3.WAWF e-Business SuiteThe WAWF e-Business Suite PMO will only make the Suite unavailable for major releases and patches, scheduled downtime can begin on Friday night. Application users are notified of scheduled downtime 5 days prior to deployment via a splash message on the WAWF e-Business Suite home page, and 2 days via email for SFTP/EDI users.

4.4. Traceability RequirementsIt is essential audit logging be turned on, capturing logon activity and compliant with DLA Audit policy. DLA Auditing Implementation Guide version 1.3 will dictate minimum level of auditing.

4.5. Validation Considerations As CWS is providing authentication of users accessing CLS through CWS, it is essential validation complies with DoD enterprise smartcard regulations.

As WAWF is providing SSO service to online direct CLS users, it is essential validation comply with DoD enterprise smartcard regulations.

4.6. Error HandlingDue to involvement of multiple systems and middleware components, there are several potential points for error. These include:

Between Vendor and WAWF e-Business Suite- If an error is found in WAWF e-Business Suite during processing, the

Vendor will receive an e-mail message notifying them of the error

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 21

5.CWS Position Name Email Address

Program Manager

Audit Lead

Operations Managers

IA Manager

Program Office Distro

6.WAWF e-Business Suite POCPosition Name Email Address

Program Manager Twyman Bledsoe Twyman.Bledsoe@dla.mil

Audit Lead Mr. David R. Hunt David.Hunt@dla.mil

Operations Managers Ms. Yingfen HuMr Ket Der

Yingfen.Hu@dla.mil Ket.Der@dla.mil

IA Manager Mr. Gene Borman Gene.Borman@dla.mil

Program Office Distro WAWF e Business Suite Distribution List

WAWF_eBiz_Suite@dla.mil

7.CLS POCPosition Name Email Address

Program Manager Christopher Webster Chris.Webster@dla.mil

Deputy Program Manager Kathleen Lemming Kathleen.j.lemming.civ@m

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 22

ail.mil

Operations Manager Stephen Arthur Stephen.m.arthur3.ctr@mail.mil

IA Manager Warren Loos Warren.Loos.ctr@dla.mil

Technical Manager Robert Baughman Robert.g.baughman2.ctr@mail.mil

Program Management Office

CLS PMO osd.pentagon.ousd-atl.mbx.dpap-clause-logic-service@mail.mil

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 23

8.Notification of ISA Changes8.1. GeneralDuring the life cycle of this agreement, planned releases affecting the interconnection must be communicated to participating organizations 120 days prior to implementing the proposed or required change.Changes as a result of the testing will be addressed and remediated as needed. Furthermore, an annual review to ensure the data feed is adequate for the current needs of the user community.

8.2. Regulatory ChangesCLS PMO, CWS PMO, and WAWF e-Business Suite PMO will concur on the implementation actions and an effective date of procedural changes required as the result of a Service or Agency regulatory change.

8.3. Functional, Technical, or Procedural ChangesInterconnection changes resulting in functional, technical, or procedural changes will be initiated by the responsible PMO; they will propose a mutually acceptable implementation date for the change(s).Each responsible PMO will:

Provide notice of proposed or pending changes to each other to include but not exclusively, mapping, interconnection and/or hardware change.

Provide sufficient time of notification to the other system and will expect prompt responses (within 30 days).

Take appropriate action in response to notification of security related events.

Actively manage requests from the CLS Configuration Control Board (CCB) and the Defense Sourcing Execution Portfolio Board.

8.4. DurationThis document will remain in force until either the signing parties, or their successors, provide a 90-day written notice of intent to nullify.

8.5. Provisions for Review and ChangesThis ICD will be reviewed and revised annually upon mutual consent. Revisions will be noted and may include supplemental memoranda.

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 24

9.Signatures9.1. Interconnection Security AgreementThis Interconnection Security Agreement has been approved by:

__________________________________________________ ________Name To be provided by CWS Team DateProject Manager/Title, CWS

__________________________________________________ ________Christopher W Webster DateProject Manager/Title, CLS

__________________________________________________ ________Twyman Bledsoe DateProgram Manager, WAWF e-Business Suite

Defense Procurement & Acquisition Policy CLS/CWS Interconnection Security Agreement 25