Cyber Protection Supply Arrangement Statement of Work Writing Guide

This SOW Writing Guideline was developed to assist departments in the preparation of Statements of Work (SOWs) for acquiring the services of IT Security Professional Services as described in the Cyber Protection Supply Arrangement (CPSA). Departments should tailor any SOW developed to meet their specific needs. Consult the Contracting authority assigned to the file for further guidance.

Disclaimer of Responsibility

This document was prepared by Public Works and Government Services Canada (PWGSC) for convenience of reference, is provided "as is", and may be used by other parts of the Government of Canada. Anyone referring to or relying upon this document or its content does so at their own risk and no guarantee is made as to its accuracy, reliability or applicability. Under no circumstance is PWGSC responsible for any direct or indirect damages, losses or problems that may arise from the use of this document or its content. Any use of this document or its content constitutes the acceptance of the terms of this disclaimer.

STATEMENT OF WORK WRITING GUIDELINES

Write the Statement of Work (SOW) using language that will explain what is needed to a non-expert. Address the Who, What, When, Where and sometimes How of what must be done. Use plain language, proper grammar and numbering systems (Avoid using sentence fragments and bullets).

The SOW should provide Bidders with enough information to:

1. understand the nature and extent of the work;
2. determine if they are qualified to bid; and
3. formulate a fully priced proposal.

The SOW must be limited to describing what the winning bidder is required to do after it has been awarded the contract. Refer to the vendor as the Contractor within the SOW.

Do not include the following information in the SOW:

1. information regarding the available budget and Fiscal Year (FY) budgetary constraints;
2. costing information;
3. information regarding the proposed Basis of Payment and payment schedule;
4. sole source justification, name and address of the proposed contractor (when sole source);
5. proposed evaluation criteria and contractor selection method (when competitive);
6. Security or Travel clauses;
7. details concerning the ownership of Intellectual Property (IP); and
8. the client organization, contact name, address and telephone/facsimile numbers.

<INSERT TITLE OF SOW>

1. INTRODUCTION

Describe briefly what is needed. Example: The <Department name> requires services under <Insert CPSA Work Stream # > on an "as and when requested" basis (Note: do not use the phrase "as and when requested" for firm price contracts). If this is a task based contract, include a statement to that effect.

2. BACKGROUND

If required, give context that will orient the Bidder as to the nature of the requirement. The information provided here should aid bidders in costing a proposal.

Put yourself in the Bidder's position and ask:

1. Will this information better situate me to understand the context and relative complexity of the requirement?
2. Do I need to know this in order to decide if I will bid?
3. Can I use this information to aid in determining my price?

Information relating to the project or the departmental program that this contract supports may be provided here. Avoid including information that is superfluous, misleading or contradictory to the objective of this contract.

3. OBJECTIVE

Describe the expected result of the work to be performed under this contract, not the project or departmental program as a whole. Example: The objective of this contract is to obtain a risk assessment and risk mitigation plan for systems A, B and C in order to obtain certification of these systems.

4. SCOPE OF WORK

The Scope should detail the high-level areas of endeavor required to complete the work. Example: The scope of work includes risk assessment, risk mitigation and certification for system A, System B and System C. For each system, the following work is required:

1. Preliminary Statement of Sensitivity
2. Privacy Impact Assessment
3. Final Certification Plan
4. Security Requirements Definition
5. Concept of Operations
6. Security Architecture
7. Threat and Risk Assessment
8. Safeguard Implementation Plan
9. Technical Vulnerability Assessment
10. Certification Report

Each of these points constitutes its own sub-section of the Scope of work and must be adequately detailed either here or at section 6.

Note: A Transition Plan must be developed if a dependence on a vendor is created for an on-going requirement that must be re-competed after this contract expires. The Contractor's obligations should be included in the scope of work.

5. PERSONNEL REQUIREMENTS

If the Technical Authority has devised a technical solution and work plan (this is called Design based contracting), identify the resources required to perform the work detailed in the SCOPE section of the SOW. Use of a table enhances clarity. Example:

	RESOURCE CATEGORY	LEVEL	QUANTITY	SECURITY LEVEL
5.1	CPSA WS3 - IT Security TRA and C&A Analyst	Senior	2	Secret
5.2	CPSA WS3 - Privacy Impact Assessment Specialist	Senior	1	Secret
5.3	CPSA WS3 - IT Security Design Specialist	Senior	1	Secret
5.4	CPSA WS3 - IT Security Vulnerability Assessment (VA) Specialist	Senior	1	Secret

Note: This section may not always be required - The scope alone may suffice in instances where the vendor is asked to determine the solution and how to best address It (This is called Performance based Contracting).

6. SERVICES REQUIRED

For each of the resources identified, create a generalized work description supported by a list of the tasks that the resource(s) are expected to perform. The task list should follow the same order as the resources are presented in section 5. If this a performance based contract and section 5 has been omitted, specific tasks that have been identified can be included under the scope element they address at section 4.

7. DELIVERABLES

Deliverables are the result of tasks performed. Individual deliverables do not require any further action for completion by the contractor. "Developing a Statement of Sensitivity" is not a deliverable, it is a task, as further action is still required to produce the end state - a "Statement of Sensitivity".

Consider the following when formulating a description of the deliverables:

1. Indicate the format that deliverables should be in, e.g. MS Word.
2. Do you want electronic copy, hard copy or both?
3. What language(s) should be used?
4. Where will it be delivered?
5. How will it be assessed - Are acceptance criteria required? Acceptance criteria could be based on standards and policies cited under the Applicable Documents at section 11 of this template.

A schedule for the deliverables can be included. It is preferable to build timelines from contract award when possible. Example: The report should be received 1 month from contract award.

8. CONSTRAINTS

If applicable, provide details of any imposed constraints that the bidder must consider (i.e. factors that set parameters, limiting the contractor's options or choices in the way the work can be carried out).

9. LANGUAGE OF WORK

Specify the language that work will be performed and delivered in.

10. TRAVEL REQUIREMENTS

If possible, indicate where, how often and by whom travel is required. This will help the Bidder cost a proposal or even decide if they will bid. If three resources are needed and only one must travel, indicate which one must travel.

11. APPLICABLE DOCUMENTS

List the documents the Contractor will require to understand and perform the work. They must be made available to all Bidders - Not just the contractor awarded the contract. There are occasions where restricted documents will only be made available to the Bidder selected for Contract.

12. GOVERNMENT FURNISHED EQUIPMENT/INFORMATION

If applicable, list what Canada will provide the Contractor to aid in performing the work. Consider whether the resource(s) require access to departmental IT systems and what must be done to facilitate this.

13. LOCATION OF WORK

Indicate where the work is to be performed. If the work is to be performed on PWGSC premises, consider if accommodation is required.

Quick Check: If all the deliverables indicated in the SOW have been received, will the Contract objective be met?