Public Works and Government Services Canada
Symbol of the Government of Canada

Common menu bar links

Sample Statement of Work for Cyber Protection Supply Arrangement - Information Technology-Security Consulting Services

This Generic Statement of Work for Cyber Protection Supply Arrangement (CPSA) was developed to assist departments in the preparation of Statements of Work (SOWs) for acquiring the services of IT Security Professional Services as described in the Cyber Protection Supply Arrangement (CPSA). This generic document should be tailored by departments to meet their specific needs. It should be noted, however, that the information and procedures presented herein are based on the government publications listed within, as applicable for each work stream, and for each skill group. Please refer to the CPSA Business Managers Guide for more details on the CPSA.

Disclaimer of Responsibility

This document was prepared by Public Works and Government Services Canada (PWGSC) for convenience of reference, is provided "as is", and may be used by other parts of the Government of Canada. Anyone referring to or relying upon this document or its content does so at their own risk and no guarantee is made as to its accuracy, reliability or applicability. Under no circumstance is Public Works and Government Services Canada (PWGSC) responsible for any direct or indirect damages, losses or problems which may arise from the use of this document or its content. Any use of this document or its content constitutes the acceptance of the terms of this disclaimer.

SAMPLE STATEMENT OF WORK (SOW) for CPSA - IT-Security Consulting Services

Government of Canada
{Department or Agency Name Spelled out}

STATEMENT OF WORK FOR THE
{PROJECT NAME – SPELLED OUT}

Contract issued under the Cyber Protection Supply Arrangement (CPSA)

Version: 1.0
{YEAR-MONTH-DAY}

TABLE OF CONTENTS

  1. INTRODUCTION
  2. OBJECTIVE
  3. SCOPE OF WORK
  4. PERSONNEL REQUIREMENTS
  5. SERVICES REQUIRED
  6. DELIVERABLES
  7. FORMAT OF DELIVERABLES
  8. LANGUAGE OF WORK
  9. APPLICABLE DOCUMENTS
  10. LOCATION OF WORK

1. INTRODUCTION

The <Department Name> requires IT Security Consulting Services under the <Insert Work Stream> of the Cyber Protection Supply Arrangement (CPSA) on an "as and when requested" basis. Work will be initiated using a Task Authorization process.

2. OBJECTIVE

The objective of this contract is to provide Certification and Accreditation (C&A) and Threat Risk Assessments (TRAs) for IT-Systems A and B as well as applications C and D. It is estimated that up to 10 TRAs and 5 C&A activities will be performed in the course of this Contract.

3. SCOPE OF WORK

The scope of work under this contract includes the following:

  • 3.1 management, co-ordination and oversight of the contractor IT security team;
  • 3.2. threat and risk assessment of IT systems and infrastructure comprised of:
    • 3.2.1 statement of sensitivity;
    • 3.2.2 threat assessment;
    • 3.2.3 non-technical vulnerability assessment;
    • 3.2.4 risk assessment; and
    • 3.2.5 recommendations for risk mitigation.
  • 3.3. Certification and Accreditation of IT systems and infrastructure that includes:
    • 3.3.1 Development of Security Certification Plans;
    • 3.3.2 Verification that security safeguards meet the applicable policies and standards;
    • 3.3.3 Validation of security requirements by mapping system-specific security policy to functional security requirements, and mapping the security requirements through the various stages of design documents;
    • 3.3.4 Verification that security safeguards have been implemented correctly and that assurance requirement have been met. This includes confirming that the system has been properly configured, and establishing that the safeguards meet applicable standards;
    • 3.3.5 Security testing and evaluation (ST&E) to determine if the technical safeguards are functioning correctly;
    • 3.3.6 Review of the certification to ensure that the system will operate with an acceptable level of risk and that it will comply with the departmental and system security policies and standards,
    • 3.3.7 Identification of the conditions under which a system is to operate (for approval purposes). This may include the following types of approvals:
      • 3.3.7.1 Developmental approval by both the Operational and the Accreditation Authorities to proceed to the next stage in an IT system's life cycle development;
      • 3.3.7.2 Operational written approval for the implemented IT system to operate and process sensitive information.

4. PERSONNEL REQUIREMENTS

The following resources are required on an "as and when requested" basis:

  RESOURCE CATEGORY LEVEL QUANTITY SECURITY LEVEL
4.1 WS3 - IT Security Project Manager Senior 1 Secret
4.2 W - IT Security TRA and C&A Analyst Senior 3 Secret

5. SERVICES REQUIRED

The resources listed below will provide the following services on an "as and when requested" basis:

  • 5.5. The Senior IT Security Project Manager is required to:
    • 5.5.1 manage and coordinate the work and provide quality control oversight on all deliverables;
    • 5.5.2 ensure adherence by the IT Security Team to all relevant security, safety & environmental regulations, rules and good practices;
    • 5.5.3 develop and maintain Project Plan(s) and Work plans, as directed by the Technical Authority;
    • 5.5.4 provide regular status reports, format and frequency to be defined in consultation with the Technical Authority;
    • 5.5.5 act as primary interface to the Technical Authority and Project Team;
    • 5.5.6 request agenda items from the Technical Authority, prepare a consolidated agenda for regular progress meetings and prepare a record of discussion/decisions resulting from regular progress meetings;
    • 5.5.7 immediately notify the Technical Authority of any issue/problem that may impede, delay or negatively impact completion of authorized task;
    • 5.5.8 ensure and maintain an electronic library of work in progress, delivered items and review comments, and version control thereof.
  • 5.6. The Senior IT TRA and C&A Analyst is required to:
    • 5.6.1 gather Information from system owners;
    • 5.6.2 complete Statements of Sensitivity, identify threat agents, threats and threat scenarios, determine risks, identify potential vulnerabilities and recommend safeguards and other risk mitigation strategies on the IT enterprise-wide infrastructure, systems, applications and services identified by the Technical Authority, combining and re-using information as much as possible;
    • 5.6.3 request written comments and review written comments from the Project Authority;
    • 5.6.4 develop a single report that synthesizes recommendations and risk mitigation strategies for senior management, with supporting detailed technical documentation;
    • 5.6.5 prepare a draft work plan for reconciliation of the risk mitigation strategies and a department-wide implementation strategy;
    • 5.6.6 produce a draft TRA; and
    • 5.6.7 produce the final TRA;
    • 5.6.8 verify that security safeguards for IT systems and infrastructure meet the applicable policies and standards;
    • 5.6.9 verify that security safeguards have been implemented correctly and that assurance requirements have been met;
    • 5.6.10 assess and verify that residual risk indicated in risk assessments meet an acceptable level of risk;
    • 5.6.11 review certification results in the design review documentation by the Accreditation Authority to ensure that the system will operate at an acceptable level of risk and that it will comply with the departmental and system security policies and standards; and
    • 5.6.12 identify the conditions under which a system is to operate for approval purposes.

6. DELIVERABLES

The Contractor shall submit all deliverables specified within individual Task Authorizations to the Technical Authority. Drafts of the deliverables must be forwarded to the Technical Authority for review and comment as determined in consultation with the Contractor. Deliverables under individual Task Authorizations may include:

  • 6.1 Monthly Progress Reports attached to each progress claim. Monthly Progress Reports must include the following information:
    • 6.1.1 all significant activities performed by each occupational category or resource under each task during the period covered by the progress report;
    • 6.1.2 status of all action/decision items originating from each task, as well as a list of outstanding activities and the expected completion date;
    • 6.1.3 a description of any issues or problems encountered which are likely to require attention by the Technical Authority;
    • 6.1.4 recommendations relating to the conduct of the work, if applicable;
  • 6.2 the initial and regularly updated Project Plan for each specific Task Authorization;
  • 6.3 draft and final copies of technical documentation such as TRAs and C&As; and
  • 6.4 managerial reports.

7. FORMAT OF DELIVERABLES

  • 7.1 Protected A, B and Secret documents must include one hard copy and one copy in electronic format (on CD or DVD) and shall be hand delivered to the Technical Authority; unclassified documents must be delivered as e-mail attachments.
  • 7.2 Monthly Progress Reports must be attached to each Progress claim and submitted to the Technical Authority by email.
  • 7.3 Deliverables must be in Microsoft Word version 2000 or newer.

8. LANGUAGE OF WORK

Work will be performed and delivered in both French and English.

9. APPLICABLE DOCUMENTS

  • 9.1 ISO_IEC 27002, 27001

10. LOCATION OF WORK

The majority of the work will be performed at the contractor's facilities. The <insert department name> is located within the National Capital Region and access to IT systems and infrastructure will be made available as required. The contractor is required to attend meetings at the <insert department name>.