Service Guide

Networx Security Services - Overview

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis. These are:

1. 1. Managed Tiered Security Service (MTSS)
2. 2. Managed Firewall Service (MFS)
3. 3. Intrusion Detection and Prevention Service (IDPS)
4. 4. Vulnerability Scanning Service (VSS)
5. 5. Anti-Virus Management Service (AVMS)
6. 6. Incident Response Service (INRS)
7. 7. Managed E-Authentication Service (MEAS)
8. 8. Secure Managed E-Mail Service (SMEMS)

The IDPS offering is described below.

IDPS Technical Summary

Agency networks, like their commercial counterparts, continue to be challenged with increasing security risks. IDPS serves as a component of the Agency's security infrastructure by providing an extra layer of protection for its internal networks. The service enables the monitoring and identification of potential security threats, and helps reduce network service disruptions caused by malicious attacks. IDPS analyzes packet activity for indications of network attack, misuse, and anomalies. The service then generates alerts and records suspicious events.

IDPS builds on the FTS2001 contracts offerings. The service connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports connectivity to extranets and public networks such as the Internet.

The contractor provides the IDPS software and hardware components, as required. The Agency may order one or more of the following:

• Intrusion Detection and Prevention Service (IDPS) to secure the Agencies internal networks.
• Host Intrusion Detection and Prevention Service (Host IDPS) which monitors critical Agency servers for security breaches and misuse while enforcing best industry practices, and Agency security policies.

The diagram below illustrates a sample IDPS implementation. Illustrative hardware such as edge routers and Agency servers are not provided as part of the IDPS.

Currently IDPS does not provide any features.

IDPS is an intrusion recognition and mitigation service that protects Agency networks against cyber attacks. The service detects signs of intrusion that may jeopardize the confidentiality, integrity, availability, and control of Agency networks. IDPS supports corrective responses to stop or alleviate malicious attacks. IDPS helps to maintain the availability of Agency mission-critical resources.

IDPS supports a range of technical capabilities that are available in commercial offerings. These include design and implementation services to allow the Agency and the contractor to discuss matters such as system recommendations, a baseline assessment, rules, signature sets, configurations, and escalation procedures. In addition, the service proactively monitors the Agency network on a 24X7 basis for indications of compromise such as intrusions, anomalies, malicious activities, and network misuse. IDPS also performs anomaly detection to identify atypical traffic trends and unusual behaviors that may indicate a potential attack. The service detects precursor activities such as unauthorized network probes, sweeps, and scans. In addition, IDPS performs signature-based detection and analyze system activity for known attacks such as, but not limited to, buffer overflows, brute force, Denial of Service (DOS), and reconnaissance efforts. The service responds dynamically to threats and takes proactive and corrective actions to secure the network. These measures include, for example, automatically terminating affected connections, blocking traffic from the originating host, and disconnecting ports. These and other service capabilities are detailed in Section C.2.10.2.1.4 Technical Capabilities of the Networx contracts.

IDPS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

• C.2.4.1Internet Protocol Service (IPS)
• C.2.7.2Premises-based IP VPN Services (PBIP-VPNS)
• C.2.7.3Network-based IP VPN Services (NBIP-VPNS)

Each Networx contractor may provide variations or alternatives to the offering and pricing for IDPS. The specific details can be found within each Contractor's Networx contract files and pricing notes for IDPS.

For more information on the general IDPS specifications and requirements, please refer to Section C.2.10.2 of the Networx contract for technical specifications and Section B.2.10.2 for pricing.

IDPS Price Basics

IDPS is an intrusion recognition and mitigation service that detects signs of intrusion that may jeopardize the confidentiality, integrity, availability, and control of Agency networks. IDPS builds on the FTS2001 contracts offerings. Basic services include software, installation, maintenance and ongoing service support and are available as:

• Intrusion Detection and Prevention Service (IDPS) to secure the Agencies internal networks available in the following two Tiers:
  • Tier I. providing IDPS support for up to and including 100 Mbps
  • Tier II. providing IDPS support for over 100 Mbps and up to and including 1 Gbps
• Host Intrusion Detection and Prevention Service (Host IDPS) per server which monitors critical Agency servers for security breaches and misuse while enforcing best industry practices, and Agency security policies.

Price components required for service are:

• Underlying transport services, such as IPS, NBIP-VPNS or PBIP-VPNS, to provide connectivity
• Basic service (NRC and/or MRC) consisting of either:
  • IDPS (NRC + MRC per IDPS device). Two (2) tiers of service are available based on required bandwidth.
  • Host IDPS (NRC + MRC per server)
• No features available currently
• Service Enabling Devices (SEDs) may be required to implement IDPS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis. These are:

1. 1.Managed Tiered Security Services (MTSS)
2. 2.Managed Firewall Service (MFS)
3. 3.Intrusion Detection and Prevention Service (IDPS)
4. 4.Vulnerability Scanning Service (VSS)
5. 5.Anti-Virus Management Service (AVMS)
6. 6.Incident Response Service (INRS)
7. 7.Managed E-Authentication Service (MEAS)
8. 8.Secure Managed E-Mail Service (SMEMS)

The Managed E-Authentication Service (MEAS) offering is described below.

Managed E-Authentication Service (MEAS) Technical Summary

MEAS enables an individual to remotely authenticate his or her identity to an Agency Information Technology (IT) system. The service provides validation and verification of users via tokens and certificates. MEAS allows Agencies to securely conduct electronic transactions and implement E-Government initiatives via the Internet and other networks. The MEAS contractor provides and manages the authentication systems.

The diagram below illustrates a sample token-based MEAS implementation.

The following diagram illustrates a certificate-based MEAS implementation.

Note that illustrative hardware such as routers and firewalls depicted in the diagrams are not provided as part of the MEAS.

MEAS builds on the FTS2001 contracts offerings. The service connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports connectivity to extranets and public networks such as the Internet.

MEAS enables the remote authentication of individual users over a network for the purpose of electronic government and commerce. MEAS technical capabilities are defined in three major categories that are further detailed in Sections C.2.10.6.1.4.1, C.2.10.6.1.4.2 and C.2.10.6.1.4.3 of the Networx contracts.

Design and Engineering Services

• Provide system architecture and equipment recommendations, a baseline assessment, a final design configuration, and operational procedures.
• Support the Agency in developing a detailed implementation plan.
• Provide installation and integration support.

Token-Based Implementation Management

Token-Based Implementation

• Setup the authentication service at the identity authentication assurance level specified by the Agency.
• Issue smart cards and/or other token devices.
• Follow the E-Authentication federated authentication model to allow agencies to validate multiple levels of authentication via a single interface, enabling inter-Agency acceptance of digital certificates, and a single sign-on capability.
• Provide authentication methods such as passwords and Personal Identification Numbers (PINs), mechanisms based on fingerprints, and network authentication systems and servers for embedded devices (e.g., routers, modem servers, switches, etc.).
• Support Agencies in developing, implementing, and maintaining the Authentication, Authorization, and Accounting (AAA) system and servers for network access, including the related tokens, based on, but not limited to protocols such as RADIUS, TACACS/TACACS+ (Cisco), and DIAMETER.

Token-Based Management

• Manage and maintain the user authentication service including the related tokens, such as one-time password devices, smart cards, and hardware tokens.
• Provide change management functions such as adding/deleting a user, resetting a PIN, modifying the IP addresses of software agent, and user ID administration.
• Ensure uninterrupted operations using mechanisms such as redundant servers that are located in geographically separate locations with the content continuously synchronized between them.

Certificate-Based Implementation and Management

Certificate-Based Implementation

• Set-up a managed Public-Key Infrastructure (PKI) that comprises, but is not limited to Certification Authority (CA), Registration Authority (RA), directory, and associated servers.
• Host and administer PKI certificates for the Agency, including but not limited to certificate issuance, validation services, Agency application certificate registration, and management.
• Setup the authentication service at the identity authentication assurance level specified by the Agency.
• Follow the E-Authentication federated authentication model to allow agencies to validate multiple levels of authentication via a single interface, enabling inter-Agency acceptance of digital certificates, and a single sign-on capability.

Certificate-Based Management

• Maintain the database of user names, user IDs, and passwords.
• Provide digital certificates and digital signatures as well as CA services.
• Ensure uninterrupted operations using mechanisms such as redundant servers that are located in geographically separate locations with the content continuously synchronized between them.
• Provide change management functions such as adding/deleting a user, resetting a password, modifying the IP addresses of software agent, and user ID administration.

The MEAS feature set is described in Section C.2.10.6.2 of the Networx contracts. It consists of:

• Biometric Characteristics - Provide biometric authentication methods including iris scan, voice, and facial recognition, as required by the Agency.
• Encryption/Digital Signature Client Software - Provide and support the encryption/digital signature client software for the Agency.
• E-Authentication Training - Provide E-Authentication training to Agency personnel as required.
• Directory/Repository Function - Develop, implement, and maintain a Directory/Repository function that will support the PKI and/or other e-authentication mechanism chosen by the Agency.

MEAS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

• C.2.3.1 Frame Relay Service (FRS)
• C.2.3.2 Asynchronous Transfer Mode Service (ATMS)
• C.2.4.1 Internet Protocol Service (IPS)
• C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS)
• C.2.7.3 Network-based IP VPN Services (NBIP-VPNS)

Each Networx contractor may provide variations or alternatives to the offering and pricing for MEAS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MEAS.

For more information on the general MEAS specifications and requirements, please refer to Section C.2.10.6 of the Networx contract for technical specifications and Section B.2.10.6 for pricing.

MEAS Price Basics

MEAS provides various methods (e.g., tokens, digital certificates, biometrics, e-signatures) for the authentication, validation, and verification of users over an Agency's systems and networks. Any required software components are included in the service prices. MEAS provides the following components:

• Token-based MEAS.
• Certificate-based MEAS.

MEAS builds on the FTS2001 contracts offerings.

Price components required for service are:

• Underlying transport services, such as IPS, to provide connectivity.
• Basic service (NRC ICB and/or MRC) consisting of either:
  • Token-Based MEAS (NRC ICB + MRC per user)
  • Certificate-Based MEAS (NRC ICB + MRC per user)
• Features ordered as needed by the Agency:
  • *Biometric Characteristics
  • Encryption/Digital Signature Client Software
  • E-Authentication Training
  • *Directory/Repository Function
• Service Enabling Devices (SEDs) may be required to implement MEAS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]
• Design and Engineering (NRC ICB), if necessary.

* Some or all price components are priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer.

• Underlying transport: Choose Networx telecommunications services such as IPS.
• Basic Service NRC: Choose CLIN 380002 (Token-based MEAS NRC ICB).
• Basic Service MRC: Choose CLIN 380025 (Token-based MEAS between 251 and 500 users MRC per user).
• SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.
• A Design and Engineering NRC may be applicable.

• Underlying transport: Choose Networx telecommunications services such as IPS.
• Basic Service NRC: Choose CLIN 380003 (Certificate-based MEAS NRC ICB).
• Basic Service MRC: Choose CLIN 380036 (Certificate-based MEAS between 501 and 1,000 users MRC per user).
• SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.
• A Design and Engineering NRC may be applicable.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MEAS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MEAS.

For more information on the general MEAS specifications and requirements, please refer to Section C.2.10.6 of the Networx contract for technical specifications and Section B.2.10.6 for pricing.

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis.

These are:

1. 1.Managed Tiered Security Service (MTSS)
2. 2.Managed Firewall Service (MFS)
3. 3.Intrusion Detection and Prevention Service (IDPS)
4. 4.Vulnerability Scanning Service (VSS)
5. 5.Anti-Virus Management Service (AVMS)
6. 6.Incident Response Service (INRS)
7. 7.Managed E-Authentication Service (MEAS)
8. 8.Secure Managed E-Mail Service (SMEMS)

The MFS offering is described below.

MFS Technical Summary

MFS builds on the FTS2001 contracts offerings. The service is implemented to secure internal Agency networks. MFS allows Agencies to mitigate the increasing network security risks they face. The service is one of the security tools that will help reduce service disruptions caused by malicious access, and prevent unauthorized access to or from private networks, such as Local Area Networks (LANs).

MFS safeguards internal networks and systems from hostile activity, protecting critical data from compromise and tampering. As buffers between trusted internal networking environments and external networks, firewalls inspect traffic according to a set of defined security policies, blocking all traffic not meeting the Agency's criteria.

MFS connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports connectivity to extranets and public networks such as the Internet.

The contractor provides the firewall software and hardware components, as required. The Agency may order one or more of the following:

Premises-based firewalls deployed at the Agency location. Network-based firewalls located in the contractor's infrastructure. Application/proxy-based firewalls positioned and implemented as per agency needs, and monitor traffic at the application layer.

The diagram below illustrates a sample firewall implementation. Illustrative hardware such as edge routers and Agency servers are not provided as part of the MFS.

MFS also offers several features that complement the basic service. They are

• Demilitarized Zones (DMZs) Support
• Email Security
• Extranet Support
• Fast Ethernet Connection
• Firewall Load Balancing
• Firewall Redundancy
• Firewall-to-Firewall VPNs
• Personal Firewalls
• Remote Client VPNs
• Uniform Resource Locator (URL) Filtering
• User Authentication Integration

These features are described in Section C.2.10.1.2 Features of the Networx contracts.

MFS provides Agency's internal networks with a layer of protection against cyber attacks. This includes providing Agencies with real-time monitoring that helps mitigate attacks and maintain the availability of Agency mission-critical resources; and a single point of accountability for designing, implementing, managing, monitoring, and maintaining the security solution.

MFS will support the full range of technical capabilities that are available in commercial offerings. These include implementing firewall security policies according to the Agency's needs, proactively monitoring the firewall components on a 24x7 basis, and detecting suspicious activity and policy violations. MFS employs various protection techniques, including but not limited to Stateful Packet Inspection, Network Address Translation (NAT) and Port Address Translation (PAT), to guard the Agency's networks from attacks. The service also uses best practices against Denial of Service (DOS), Ping of Death, IP Spoofing, SYN Flood, and Tear Drop attacks. These and other service capabilities are detailed in Section C.2.10.1.1.4 Technical Capabilities of the Networx contracts.

MFS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

• C.2.3.1 Frame Relay Service (FRS)
• C.2.3.2 Asynchronous Transfer Mode Service (ATMS)
• C.2.4.1 Internet Protocol Service (IPS)
• C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS)
• C.2.7.3 Network-based IP VPN Services (NBIP-VPNS)

Each Networx contractor may provide variations or alternatives to the offering and pricing for MFS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MFS.

For more information on the general MFS specifications and requirements, please refer to Section C.2.10.1 of the Networx contract for technical specifications and Section B.2.10.1 for pricing.

MFS Price Basics

MFS builds on the FTS2001 contracts offerings. MFS provides the following components:

• Premises-based firewalls deployed at the Agency location.
• Network-based firewalls serving the Agency from the contractor's infrastructure.
• Application/proxy-based firewalls, implemented as per agency requirement, monitor traffic at the application layer.

Premise-based and network-based MFS basic services are available in the following three Tiers:

• Tier I - providing firewall support up to 10 Mbps and up to 100 IP addresses
• Tier II - providing firewall support for up to 100 Mbps and up to 1,000 IP addresses
• Tier III - providing firewall support for up to 1 Gbps and unlimited IP addresses

Price components required for service are:

• Underlying transport services, such as FRS or IPS, to provide connectivity
• Basic service (NRC and/or MRC) consisting of either:
  • Premise-Based MFS (NRC + MRC per firewall). Three (3) tiers of service are available based on required bandwidth and number of IP addresses.
  • Network-Based MFS (NRC + MRC per firewall). Three (3) tiers of service are available based on required bandwidth and number of IP addresses.
  • Application Proxy-Based MFS is priced ICB (NRC + MRC).
• Features ordered as needed by the Agency:
  • Demilitarized Zones (DMZs) Support
  • Email Security
  • Extranet Support
  • Fast Ethernet Connection
  • Firewall Load Balancing
  • Firewall Redundancy
  • Firewall-to-Firewall VPNs
  • Personal Firewalls
  • Remote Client VPNs
  • Uniform Resource Locator (URL) Filtering
  • User Authentication Integration
• Service Enabling Devices (SEDs) may be required to implement MFS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]
  • SEDs are required to implement Premise-based MFS
  • SEDs may be required to implement Network-based MFS
  • SEDs are required to implement Application/proxy-based MFS

Example 2: Network-based MFS providing firewall support up to 500 Mbps and up to 2,000 IP addresses:

• Transport: Choose Networx telecommunications services such as IPS
• Network-based NRC: Choose CLIN 300203 (Network-Based MFS: Tier III NRC per firewall)
• Network-based MRC: Choose CLIN 300303 (Network-Based MFS: Tier III MRC per firewall)
• SEDs may be required to implement Network-based MFS. Illustrative hardware such as routers and Agency servers are not provided as part of the MFS.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MFS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MFS.

For more information on the general MFS specifications and requirements, please refer to Section C.2.10.1 of the Networx contract for technical specifications and Section B.2.10.1 for pricing.

Managed Network Services (MNS) Technical Summary

MNS offers comprehensive network management solutions that are designed to meet Agency requirements. Under the MNS offering, the contractor provides overall management of an Agency's infrastructure, including real-time proactive network monitoring, rapid troubleshooting and service restoration.

The basic MNS concept is illustrated in the Figure below. The MNS contractor provides the necessary design, engineering, project management, and other functional requirements to satisfy the particular requirements of an Agency. Agency networks vary in complexity in terms of size, bandwidth, and functionality. The MNS contractor is the Agency's single point of accountability for all networks managed under this service, including operations, maintenance, and administrative activities.

MNS works with underlying Networx offerings such as Frame Relay Service (FRS). Asynchronous Transfer Mode Service (ATMS), IP-enabled FRS/ATMS, IP Virtual Private Networks (VPN), Private Line Service (PLS), and other services as needed to ensure seamless connectivity to Agency networking environments. MNS is similar to managed network service offerings on FTS2001 contracts. However, there is not a direct correlation between specific FTS2001 and Networx solutions.

MNS technical capabilities are defined in two following major categories that are identified in more detail in Sections C.2.9.1.1.4.1 and C.2.9.1.1.4.2 of the Networx contracts.

Managed Design and Engineering Services

• Provide design and engineering services that fully satisfy Agency requirements.
• Incorporate the Agency security requirements into the design. This may include integration of a security package or individual Networx security services.
• Identify network components and protocol, redundancy, traffic filtering, and traffic prioritization requirements. Also specification of the appropriate Committed Information Rates (CIRS), Permanent Virtual Circuits (PVC) levels, and network access speeds as required.
• Provide complete project management including design, implementation, installation, access coordination, provisioning, equipment configuration, hardware testing, and service activation.

Implementation, Management, and Maintenance

• Conduct integrated management of services including, as required by the Agency, managing services provided by other contractors.
• Develop implement, and manage comprehensive solutions constructed from components of Networx services to meet Agency-specific requirements.
• Supply and manage the hardware, firmware, and related software required by the agency.
• Manage the network in real-time on a 24X7 basis.
• Support Simple Network Management Protocol (SNMP) data feeds that provide the Agency with managed equipment information as applicable.
• Support configuration changes, provide IP address management, monitor and control access to equipment, perform hardware and software upgrades, and additional functions described in Section C.2.9.1.1.4.2 (Implementation, Management, and Maintenance).

The MNS feature set is described in Section C.2.9.1.2 of the Networx contracts (MNS Feature Set). It consists of:

• Government Furnished Property (GFP) and Maintenance (maintenance and repair of GFP unless maintained under an SED monthly maintenance charge).
• Agency-specific Network Operations Center (NOC).
• Network Testing (performed at the Agency's discretion and structured in collaboration with the contractor).

MNS is required to support the (UNIs) defined in applicable Networx services, for example:

• C.2.3.1 Frame Relay Service (FRS).
• C.2.3.2 Asynchronous Transfer Mode Service (ATMS).
• C.2.5.1 Private Line Services (PLS).
• C.2.4.1 Internet Protocol Service (IPS).
• C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS).
• C.2.7.3 Network-based IP VPN Services (NBIP-VPNS).

Each Networx contractor may provide variations or alternatives to the offering and pricing for MNS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MNS.

For more information on the general MNS specifications and requirements, please refer to Section C.2.9.1 of the Networx contract for technical specifications and Section B.2.9.1 for pricing.

MNS Price Basics

MNS provides comprehensive design, engineering, operation, management, monitoring, and maintenance of Agency networks. MNS does not include access and transport services. Prices exclude the cost of bandwidth and SED maintenance covered by the SED's MMRC.

MNS Basic Service CLINS are charged per device. A device under MNS is typically a router, switch, or similar equipment at the user's location that acts as a point of connection between user location and the contractor's networking service(s). The Basic Service CLINs are distinguished by network type:

• Connection-Oriented Networks: Networks using circuit switched services, FRS, and ATM.
• Connectionless Networks: Networks using IP-based services.

MNS is similar to MNS offerings on FTS2001 contracts. However, there is not necessarily a direct correlation between all specific FTS2001 and Networx solutions

Price components required for MNS Basic Service:

• Managed Network Implementation, Management and Maintenance (NRC + MRC per device).
• Features* ordered as needed by the Agency:
  • Government Furnished Property (GFP) Maintenance.
  • Agency-Specific Network Operations Center (NOC).
  • Network Testing.
• Service Enabling Devices (SEDs) may be required to implement MNS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.].
• Managed Network Design and Engineering (NRC + MRC ICB), if necessary, comprises design and engineering services including a review of the current network traffic, performance, transport, hardware and software components; and an overall evaluation of network topology, configuration, addressing, bandwidth, availability, scalability, reliability and disaster recovery requirements.
• Agency specific interfaces, software, and equipment to meet SOW requirements (NRC + MRC ICB), if necessary.

* All original contract MNS features are priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer.

Technical Summary

In November 2007, the Office of Management and Budget (OMB) announced its Trusted Internet Connections (TIC) initiative which will limit the number of internet connections (gateways) into Federal Departments and Agencies. In response, GSA developed MTIPS, a Networx service that enables Agencies to meet their TIC requirements. This is a new service that was not offered on previous GSA contracts.

MTIPS allows Agencies to transport Internet Protocol (IP) packets to/from external networks including the Public Internet, business partner's networks and Government-wide intranets and extranets. MTIPS enables Federal Agencies to achieve full compliance with the TIC mandate by facilitating the reduction of the number of Internet connections in Government networks while providing stipulated security functions and controls to all Government users.

The figure below shows a notional architecture for MTIPS. It is a realization of the TIC 1.0 Reference Architecture as required by the OMB TIC initiative.

MTIPS Notional Architecture

As shown in the figure, MTIPS is comprised of (1) the network infrastructure to transport IP traffic originating in the Agency Enterprise Wide Area Network (WAN) and (2) the TIC portal (DHS Approved Access Point). Together they create an Agency TIC Trusted Domain (DMZ) for IP traffic. (The term DMZ was originally coined as an acronym for demilitarized zone). The DMZ is created by the contractor to ensure that Agency traffic is protected and physically isolated when transported to the TIC portal and the public internet. Contractor-provided access to the MTIPS Transport POP is included in the DMZ.

The MTIPS (TIC) Portals built by Networx contractors provide access to multiple Tier 1 Internet Service Providers (ISPs). An MTIPS portal functions as an OMB approved Multi-Service Trusted Internet Connection Access Provider (TICAP) capable of hosting multiple Agencies and able to manage and correlate multiple independent traffic streams for each subscribing Agency. The MTIPS Portal provides security services to multiple clients, but allows for specific controls based on Agency requirements.

Prior to subscribing to MTIPS, Agencies must do the following:

• Designate a Dedicated Approval Authority (DAA).
• Sign a "Banner" Memorandum of Agreement (MOA) with DHS. The MOA is signed by the DAA and is a legal requirement to monitor Agency traffic using EINSTEIN devices (see Technical Detail section below).
• Identify MTIPS Gateway Site(s). It is recommended that the Agency consolidate internet/external network bound traffic at a single or at a few Agency sites and conduct site assessments.
• Review MTIPS C&A certification package and issue Authorization to Operate (ATO) or accept a Global ATO from GSA.

The MTIPS ensures 100% compliance with the OMB mandate upon subscription by the Agencies. MTIPS is an enhancement to the Networx Internet Protocol Service (IPS). It provides an additional layer of security which isolates Agencies internal traffic from un-trusted zones (i.e., the Public Internet and other external networks).

MTIPS Technical Capabilities

MTIPS supports the following technical capabilities described in detail in Section C.2.4.1.5.1.4 of the Networx contracts:

• Access to the Internet - This capability includes:
  • Established public peering arrangements from the contractor's network to the Internet.
  • Established private peering arrangements from the contractor's network with redundant links to connect to private peering partners.
• Hosting for the EINSTEIN Enclave - The MTIPS contractors provide cage, power and environmental conditions to host the EINSTEIN enclave; the Government provides the network elements as GFE.
• DCID 6/9 SCIF - Contractor-provided SCIF space.
• MTIPS Portal Security Operations Center (SOC) - The SOC provides the following functions:
  • Event Generation of Security Sensors - The security sensors installed support the following functions
    • E-mail scanning and Filtering.
    • Network Based Firewall virtualized to support all hosted Agencies.
    • Intrusion Detection and Protection in support of vendor and Agency supplied signatures.
    • Anti Virus Protection.
  • Event collection and normalization - The event collectors gather raw information from the security sensors. The messages are normalized and reflect the operating states of the security appliances at the Portal.
  • Control Mechanisms - The MTIPS provides mechanisms for the exchange of information and enables action and reaction to attacks to mitigating and preventing them.
  • Systems Logs.
• MTIPS Transport Collection and Distribution Capabilities.

The MTIPS Feature set is described in Section C.2.4.1.5.2.1 of the Networx contracts (MTIPS Feature Set). It consists of:

• Encrypted traffic - Provides scanning and filtering of incoming and outgoing email, web traffic and known bad mail.
• Agency security policy enforcement.
• Forensic analysis.
• Custom reports for ad-hoc user defined reports.
• Agency NOC/SOC Console-customized to Agency requirements.
• Custom Certification and Accreditation Support to support more stringent security controls.
• External network connection.
• Encrypted DMZ.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MTIPS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MTIPS.

For more information on the general MTIPS specifications and requirements, please refer to Section C.2.4.1.5 of the Networx contracts for technical specifications and Section B.2.4.1.5 for pricing.

MTIPS Price Basics

MTIPS facilitates the reduction of the number of Internet connections in Government networks and provides standard security services to all Government users. MTIPS is in full compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) initiative (M-08-05).

The MTIPS port price includes:

• TIC Security Operations Center (SOC) equipment
• TIC Portal Capabilities (Section C.2.4.1.5.1.4.1)
• Transport Collection and Distribution Capabilities (Section C.2.4.1.5.1.4.2)
• Network Operations and Management (Section C.2.4.1.5.5)
• TIC Portal SOC Federal Information Security Management Act (FISMA) Certification and Accreditation (C&A) (Section C.2.4.1.5.8)

CLINs are distinguished by access type:

• Embedded Access: One CLIN is ordered to obtain both access and transport with one rate.
• Independent Access (aka Access Services): A separate CLIN for the access is ordered from one contractor to connect an agency's site to another contractor's network.
• Dedicated Access: A separate CLIN for the access is ordered along with transport service from the same contractor. This is the most commonly ordered option as shown in Example 1 below.

MTIPS is a service that was not offered on the FTS2001 contracts.

Price components required for full end-to-end service for Domestic and Non-Domestic MTIPS:

• MTIPS Transport monthly recurring charge per port
• Dedicated Access Arrangements (DAA) Originating and Terminating Wireline Access (MRC) and (NRC)
• Features* ordered as needed by the Agency:
• Encrypted Traffic
• Agency Security Policy Enforcement
• Forensic Analysis
• Custom Reports
• Agency NOC/SOC Console
• Custom Certification and Accreditation (C&A) Support
• External Network Connection
• Encrypted DMZ
  • Service Enabling Devices (SEDs) may be required to implement MTIPS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

* All MTIPS features are priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer.

• MTIPS Transport: Choose CLIN 745359 (MTIPS - Dedicated T3 MRC per port)
• Access NRC: Choose CLIN 760117 Routine T3 Dedicated Access NRC
• Access MRC: Choose CLIN 760317 Routine T3 Dedicated Access MRC
• SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MTIPS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MTIPS.

For more information on the general MTIPS specifications and requirements, please refer to Section C.2.4.1.5 of the Networx contract for technical specifications and Section B.2.4.1.5 for pricing.

MWLANS Technical Summary

Multimode/Wireless LAN Service provides Agency users with wireless access points, commonly called WiFi hotspots. MWLANS satisfies Agency requirements for global remote wireless connectivity to IP-based services from outside Government networks by offering 802.11 wireless connections in public hot spots around the world, or with custom-designed wireless networks deployed at Agency sites.

MWLANS is a wireless transmission service for mobile terminals. Agency personnel, using WiFi-enabled notebook computers or personal digital assistants (PDAs), can access E-mail, government intranets, and the Internet when located within WiFi coverage areas or hotspots. MWLANS complies with the near-ubiquitous standard known as WiFi or wireless fidelity. Through partnerships with WiFi providers, the Networx contractors provide essentially global coverage.

Client software, which is loaded on the subscriber's mobile device, simplifies the process of accessing the network by providing MWLANS access tools to assist the Agency subscriber. Access to the network is secured through multiple security layers. An IP Security (IPSec) connection is established between the client software and the remote access server in the contractor's network. Traffic is encrypted between the mobile device and the MWLANS base station in private hotspot implementations.

The following Multimode/Wireless LAN Service capabilities are supported:

• The user is provided access only after authentication by user-id and password by the contractor. The user is able to change password as often as deemed necessary.
• The service supports dynamic IP address as well as single or multiple static IP address.
• The contractor provides commercially available Wireless Network Interface Cards (NICs) for mobile terminals.

Figure No. 1 depicts how MWLANS (i.e., a wireless LAN supporting IEEE 802.11 standard) obviates the needs for enterprise cabling.

Figure No. 2 depicts the role of Wi-Fi in the IEEE family of wireless network specifications.

Basic service level agreements (SLAs) supported include:

• Time to Restore.

For more information on the general MWLANS specifications and requirements, please refer to Section C.2.14.3 of the Networx contract for technical specifications and Section B2.14.3 for pricing.

MWLANS Price Basics

MWLANS is commonly known as WiFi or Wireless Fidelity. MWLANS consists of two service types:

• Subscription Service: A subscription-based service to public hot spots is available as a monthly or daily subscription.
  • The monthly subscription offers unlimited usage.
  • As part of the daily subscription, each subscription lasts 24 hours from the time of first logon to the service. Customers can logoff and logon to the service during the 24 hour period without incurring additional charges.
• Private Hotspot: Private WiFi hotspots are priced an Individual Case Basis (ICB). Private hotspots require an initial survey, design and network installation; a monthly recurring service charge applies after cutover.

MWLANS is a service that was not offered on the original FTS2001 contracts.

Price components required for MWLANS:

• Subscription Service
• Daily (per day) or Monthly (per month) Subscription
• Private Hotspot
• Survey, Design, and Setup (NRC ICB). CLINs with ICB prices are not available in the unit pricer
• Ongoing Operations and Maintenance (MRC ICB). CLINs with ICB prices are not available in the unit pricer
  • No features available currently
  • Service Enabling Devices (SEDs) may be required to implement MWLANS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Each Networx contractor may provide variations or alternatives to the offering and pricing for MWLANS. The specific details found within each Contractor's Networx contract files and pricing notes for MWLANS

For more information on the general MWLANS specifications and requirements, please refer to Section C.2.14.3 of the Networx contract for technical specifications and Section B.2.14.3 for pricing.

• National Security and Emergency Preparedness (NS/EP)/Telecommunications Priority Service (TSP) allows Agencies to establish priorities for circuit installation, restoration, and priority level changes in anticipation of, during, or after a national emergency. The service provider installs or restores circuits based on Agency priority level.
• Similar to FTS2001 NS/EP TSP
• Basic components required for service
  • NS/EP TSP Priority Installations (NRC) - same as FTS2001 (FTS2001 SCIDs 1591, 1592, 1593, 21854, 21855)
  • NS/EP TSP Priority Restorations (NRC) - same as FTS2001 (FTS2001 SCIDs 1594, 1598, 1599, 21858, 21859)
  • NS/EP TSP Priority Restorations (MRC) - same as FTS2001 (FTS2001 SCIDs 1595, 1596, 1597, 21856, 21857)
  • NS/EP TSP Priority Level for Design Change (NRC) - same as FTS2001 (FTS2001 SCIDs 1600, 1601, 21860)
• There are no features or SEDs for NS/EP TSP

• Example: NS/EP TSP Priority Provisioning of a T1 circuit with Local Access Coordination
  • TSP Priority Provisioning - Local Access Coordination (NRC): Choose CLIN 144004 (FTS2001 SCID 1591)
  • TSP Restoration - Local Access Coordination (MRC and NRC): Choose CLIN 144002 (MRC) (FTS2001 SCIDs 1596 and 21857) and CLIN 144008 (NRC) (FTS2001 SCID 1598)
  • TSP Priority Level for Design Change Local Access Coordination (NRC): Choose CLIN 144011 (NRC) - (FTS2001 SCID 1601)

NBIP-VPNS Technical Summary

NBIP-VPNS provides secure, reliable transport of Agency applications across a contractor's multiprotocol label switching (MPLS) backbone infrastructure for geographically dispersed Agency locations. The service footprint covers CONUS, OCONUS and Non-Domestic locations. NBIP-VPNS is equivalent to FTS2001 services such as Private IP (PIP), Multiprotocol Label Switching (MPLS), and Very high performance Backbone Network Service (VBNS).

A virtual private network (VPN) is a network that is layered on top of an underlying transport network. The private nature of a VPN derives from the implementation of the VPN in an encapsulated form that is not visible to the underlying network. Virtual paths called 'tunnels' are established within the network. The main characteristic of a Network-based VPN is that all devices involved in building the VPN are systems owned by the contractor and located at the edge of the contractor's backbone. Tunnels usually terminate at the contractor's edge router.

The following diagram illustrates a layered architecture for NBIP-VPNS with its basic building blocks. The figure shows two independent network based VPNs interconnecting Agency sites with various forms of dial, broadband, and dedicated access to the contractor's network.

The basic building blocks are comprised of the following:

• CE1 - CE4 : Customer Edge Devices : Service Enabling Devices (SEDs)
• P1 - P3 : IP/MPLS Backbone Core Devices
• PE1 - PE5 : Provider Edge Devices
• VS (Voice Service) : Analog dialup at 56 Kbps
• ISDN : Circuit Switched Data Service (CSDS) at 64 Kbps and 128 Kbps
• High Speed Cable Access : 320 Kbps up to 10 Mbps
• SSL (Secure Sockets Layer) : Tunneling standard to facilitate flexible and secure access to the Agency network
• IPSec (IP Security): IPSec can be used in tunnel mode (entire packet is encrypted) or transport mode (only data is encrypted).

MPLS is a labeling scheme that is used by a network edge router to create paths across the network with specific constraints, such as acceptable packet delay. MPLS remains independent of the layer 2 and 3 protocols. IP packets are encapsulated, labeled, and switched between the source and destination PEs. Each CE and PE pair creates a local loop/access.

• VPN1 is a closed user group with PE1, PE3, and PE4 edge devices.
• VPN2 is a closed user group with PE2, PE3, PE4, and PE5 edge devices.

Note that an edge device can belong to multiple VPNs as illustrated by the PE3 and PE4 devices.

The NBIP-VPNS managed solution facilitates the shift of an Agency's capital and operational expenditure burdens to the Networx contractor. The contractor's core MPLS infrastructure can be used to create Agency specific topologies from partially-meshed to fully-meshed networks.

NBIP-VPNS supports a complete set of Agency site types:

• Intranet - provides secure tunnels between remote sites
• Extranet - enables trusted business partners to gain access to corporate information via secure/encrypted tunnels
• Remote Access - enables mobile/remote workers to gain access to secure corporate information via secure encrypted tunnels.

NBIP-VPNS allows Agencies to interconnect sites served by ATMS, FRS, PLS, and Ethernet services. The MPLS backbone creates virtual circuits between MPLS-enabled endpoints on the network, and provides the ability to establish Classes of Service (CoS) categorized by the type of traffic. The classification of traffic is defined at the Agency SED, and may be categorized as:

• Premium - Time-critical traffic such as voice, video, and VoIP
• Enhanced - Business-critical traffic such as database transactions
• Standard - Non-critical traffic such as email, http, ftp, etc.

End-to-end Quality of Service (QoS) can be provided through traffic classification and prioritization at the CE, PE, or core P devices (see the example figure). Agencies will receive customized NBIP-VPNS solutions that meet the Agency's specific requirements.

NBIP-VPNS features are available that include:

• Class of Service - Premium, Enhanced, and Standard as defined above
• High availability options for Customer Premises Equipment
• Internet Gateway Service - hardened trusted gateway between the internet and the IP-VPN service
• Interworking Services - transparent interworking across locations with ATMS, FRS, Ethernet, and the contractor's IPS
• Key Management - generation, distribution, storage, and security of encryption keys
• Security Services.

Basic service level agreements (SLAs) supported include:

• Availability
• Latency
• Time to Restore.

Each Networx contractor may provide variations or alternatives to the offering and pricing for NBIP-VPNS. The specific details can be found within each Contractor's Networx contract files and pricing notes for NBIP-VPNS.

For more information on the general NBIP-VPNS specifications and requirements, please refer to Section C.2.7.3 of the Networx contract for technical specifications and Section B.2.7.3 for pricing.

NBIP-VPNS Price Basics

NBIP-VPNS provides network-based private data transport between user locations. The pricing associated with NBIP-VPNS is based on a number of factors such as number of sites, bandwidth requirements, security services, and the type of access. CLINs are distinguished by access type:

• Embedded: One CLIN is ordered to obtain both access and transport with one rate.
• Independent (aka Access Services): A separate CLIN for the access is ordered from one contractor to connect an agency's site to another contractor's network.
• No access (i.e. Dedicated Access Arrangements (DAA)): A separate CLIN for the access is ordered along with transport service from the same contractor. This is the most commonly ordered option as shown in Example 1 below.

NBIP-VPNS is equivalent to FTS2001 services such as Private IP (PIP), Multiprotocol Label Switching (MPLS), and Very high performance Backbone Network Service (VBNS).

Price components required for full end-to-end service for Domestic and Non-Domestic NBIP-VPNS:

• NBIP-VPNS Transport monthly recurring charge per port
• DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed by the Agency:
  • Class of Service (CoS)
  • High Availability Options for CPE
  • Internet Gateway Service
  • Interworking Services
  • Key Management
  • Security Services.
• Service Enabling Devices (SEDs) may be required to implement NBIP-VPNS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]
• Network Design and Engineering (NRC ICB), if necessary.

This document only addresses the NBIP-VPN service at contract award. Each Networx contractor may provide variations or alternatives to the offering and pricing for NBIP-VPNS. The specific details can be found within each Contractor's Networx contract files and pricing notes for NBIP-VPNS.

For more information on the general NBIP-VPNS specifications and requirements, please refer to Section C.2.7.3 of the Networx contract for technical specifications and Section B.2.7.3 for pricing.

OWS provides dedicated high speed optical transport networks to interconnect Agencies offices in different geographic regions. OWS is a new service that was not provided on FTS2001 contracts. Basic OWS is a point-to-point bi-directional, single link service provided by Wavelength Division Multiplexing (WDM) equipment. However, networks with more flexible topologies such as multi-point to multi-point can be provided through emerging technologies.

OWS may be ordered in Metro areas or long haul CONUS wide, with OCONUS and Non-Domestic locations optional to offer. The Agency may opt to manage its own network or to obtain network management from its contractor. OWS is delivered to the customer's Service Delivery Point (SDP). The Agency can order OWS that will connect to and interoperate with:

• Contractor's metro and long haul networks
• Agency's Intranet
• Internet
• Other Agency networks.

The diagram below illustrates a CONUS wide contractor's Dense WDM (DWDM) transport network delivering optical carrier (OC) wavelengths. A Customer Network Management (CNM) feature is shown that could include alarm monitoring capabilities as well as capabilities for set up, modification, and tearing-down of connections.

Government Agencies require dedicated broadband, framing-independent transport networks to interconnect their offices in different regions of the United States and internationally. In offering OWS, the contractor always provides the optronics equipment and fiber connectivity that comprise the transport network. Management of the network, however, may be performed by either the providing contractor or the Government Agency. In the latter case, Agencies will manage their dedicated networks via a Web portal or a remote User Interface (UI).

OWS is provided over Wavelength Division Multiplexing (WDM) equipment where several wavelengths, sometimes referred to as lambdas, are multiplexed into a composite signal that is transmitted over a single fiber. An emerging technology known as Automatic Switched Transport Network (ASTN) may be offered as an option by the vendor. ASTN allows traffic paths to be established through the network through an ASTN agent. This agent is also known as an Optical Control Plane. The Optical Control Plane provisions the path through the network as requested by the customer edge-device (e.g., router) and allocates bandwidth for the user requested service, providing more flexibility in meeting user demand. ASTN further enables Agencies to order multi-point to multi-point connections, full mesh configuration, with routing constraints, and Quality of Service (QoS) options. OWS over ASTN also enables network-to-network interconnections to be established.

OWS provides advanced transport capabilities for Government Agencies. OWS allows Agencies to build high speed networks at OC-48 or OC-192 that require physical isolation of traffic to meet bandwidth intensive demands. It supports very fast service set-up/tear-down (i.e., in hours or minutes) and supports low latency and jitter. OWS enables collaborative, dynamic multi-terabit and grid-computing applications and supports fast restoration capabilities (in the sub-millisecond range)

• Two levels of Customer Network Management
• Equipment Protection
• Geographical Diversity
• Protected Wavelengths

Each Networx contractor may provide variations or alternatives to the offering and pricing for OWS. The specific details can be found within each Contractors Networx contract files and pricing notes for OWS

For more information on the general OWS specifications and requirements, please refer to Section C.2.5.4 of the Networx contract for technical specifications and Section B.2.5.4 for pricing.

OWS is a service that was not offered on the original FTS2001 contracts. OWS is provided over the following two transport technologies:

• Wavelength Division Multiplexing (WDM): OWS is provided over WDM equipment where several wavelengths, sometimes referred to as lambdas, are multiplexed into a composite signal that is transmitted over a single fiber.
• Automatic Switched Transport Network (ASTN): An emerging technology known as ASTN may be offered as an option by the vendor. ASTN allows traffic paths to be established through the network through an ASTN agent. This agent provisions the path through the network and allocates bandwidth for the user requested service, providing more flexibility in meeting user demand. ASTN further enables Agencies to order multi-point to multi-point connections.

The Monthly Recurring Charge (MRC) for transport consists of a fixed component plus a distance-dependent (per mile) component. CONUS-to-CONUS distance is calculated using the distance formula:

Distance (miles) = ROUNDUP(SQRT(((V1-V2)^2+(H1-H2)^2)/10),0)

Where (V1, H1) and (V2, H2) are the V and H coordinates of the locations, respectively

Distance involving OCONUS or non-domestic locations is calculated using airline miles. Note: The Networx Pricer automatically calculates the distance when given the originating and terminating locations.

• OWS Transport monthly recurring charge with a fixed component and charge per mile
• Dedicated Access Arrangements (DAA) Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed
• Service Enabling Devices (SEDs) may be required to implement OWS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Example 1: Domestic OWS WDM Routine Level for OC-48 wavelength

• OWS Transport: Choose CLIN 174021 WDM Routine OC48 - 2.5 Gbps - Domestic Long Haul Routine MRC per channel)
• Access MRC: Choose CLIN 760370 Routine DAA OWS OC-48 MRC (ICB) for both ends of the OC-48 Circuit. Prices for this CLIN are not available in the unit pricer. This circuit is priced as ICB (Individual Case Basis).
• Access NRC: Choose CLIN 760170 Routine DAA OWS OC-48 NRC (ICB) for both ends of the OC-48 Circuit. Prices for this CLIN are not available in the unit pricer. This circuit is priced as ICB (Individual Case Basis).
• SEDs must be chosen based on equipment required at each location. CLINs differ between vendors.

A fixed price is provided for Metro OWS, i.e., transport in a domestic metropolitan area. Thus, the Metro OWS price does not vary by metropolitan area.

Price components required for full end-to-end service for Metro OWS:

• OWS Transport monthly recurring charge (MRC) per channel
• DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed
• Service Enabling Devices (SEDs) may be required to implement OWS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Example 2: Metro OWS WDM Routine Level for OC-48 wavelength

• OWS Transport: Choose CLIN 174001 WDM Routine OC48 - 2.5 Gbps - Metro MRC per channel)
• Access MRC: Choose CLIN 760370 Routine DAA OWS OC-48 MRC (ICB) for both ends of the OC-48 Circuit. Prices for this CLIN are not available in the unit pricer. This circuit is priced as ICB (Individual Case Basis).
• Access NRC: Choose CLIN 760170 Routine DAA OWS OC-48 NRC (ICB) for both ends of the OC-48 Circuit. Prices for this CLIN are not available in the unit pricer. This circuit is priced as ICB (Individual Case Basis).
• SEDs must be chosen based on equipment required at each location. CLINs differ between vendors.

Each Networx contractor may provide variations or alternatives to the offering and pricing for OWS. The specific details can be found within each Contractors Networx contract files and pricing notes for OWS.

For more information on the general OWS specifications and requirements, please refer to Section C.2.5.4 of the Networx contract for technical specifications and Section B.2.5.4 for pricing.

Premises - Based IP VPN Service (PBIP-VPNS) Technical Summary

PBIP-VPNS provides secure, reliable transport of Agency applications across a contractor's multiprotocol label switching (MPLS) backbone infrastructure for geographically dispersed Agency locations. The service footprint covers CONUS, OCONUS and Non-Domestic locations. PBIP-VPNS is similar to FTS2001 services such as Private IP (PIP), Multiprotocol Label Switching (MPLS), and Very high performance Backbone Network Service (VBNS).

A virtual private network (VPN) is a network that is layered on top of an underlying transport network. The private nature of a VPN derives from the implementation of the VPN in an encapsulated form that is not visible to the underlying network. Virtual paths called "tunnels" are established within the network.

The following diagram illustrates a layered architecture for PBIP-VPNS with its basic building blocks. The figure shows two independent premises-based VPNs interconnecting Agency sites with various forms of dial, broadband, and dedicated access to the contractor's network.

The basic building blocks are comprised of the following:

• CE1 - CE5 -> Customer Edge Devices
  • Service Enabling Devices (SEDs)
• PE1 - PE5 -> Provider Edge Devices
• VS (Voice Service) -> Analog dialup at 56 Kbps
• ISDN -> Circuit Switched Data Service (CSDS) at 64 Kbps and 128 Kbps
• High Speed Cable Access -> 320 Kbps up to 10 Mbps
• SSL (Secure Sockets Layer) -> Tunneling standard to facilitate flexible and secure access to the Agency network
• IPSec (IP Security) -> IPSec can be used in tunnel mode (entire packet is encrypted) or transport mode (only data is encrypted).
• Each CE and PE pair creates a local loop/access.
• VPN1 is a closed user group with PE1, PE3, and PE4 edge devices.
• VPN2 is a closed user group with PE2, PE4, and PE5 edge devices.

Note that an edge device can belong to multiple VPNs as illustrated by the PE4 device.

Premises- Based IP VPN Service (PBIP-VPNS) Technical Detail

The PBIP-VPNS solution gives the Agency full end-to-end security control of the traffic; but carries a higher burden of capital and operational expenditure. The contractor's core MPLS infrastructure can be used to create Agency specific topologies from partially-meshed to fully-meshed networks.

The main characteristics of a premises-based VPN are:

1. VPNs are typically IPSec tunnel-based, with customer edge (CE) devices encrypting and decrypting traffic before it enters and leaves the contractor's network.
2. Because security is provided on an end-to-end basis, the contractor has no visibility into the IP tunnel.
3. Contractor provides any-to-any connectivity via IP routing to build paths across the contractor's cloud.
4. The CE may either be furnished by an Agency or by the contractor as part of a managed service.

PBIP-VPNS supports a complete set of Agency site types:

• Intranet - provides secure tunnels between remote sites
• Extranet - enables trusted business partners to gain access to corporate information via secure/encrypted tunnels
• Remote Access - enables mobile/remote workers to gain access to secure corporate information via secure encrypted tunnels

PBIP-VPNS allows Agencies to interconnect sites served by ATMS, FRS, PLS, and Ethernet services. The MPLS backbone creates virtual circuits between MPLS-enabled endpoints on the network and Agencies will receive customized PBIP-VPNS solutions that meet the Agency's specific requirements.

PBIP-VPNS features are available that include:

• High availability options for Customer Premises Equipment (CPE)
• Internet Gateway Service - hardened trusted gateway between the internet and the IP-VPN service
• Interworking Services - transparent interworking across locations with ATMS, FRS, Ethernet, and the contractor's IPS
• Key Management - generation, distribution, storage, and security of encryption keys
• Security Services

Basic service level agreements (SLAs) supported include:

• Availability
• Latency
• Time to Restore.

Each Networx contractor may provide variations or alternatives to the offering and pricing for PBIP-VPNS. The specific details can be found within each Contractor's Networx contract files and pricing notes for PBIP-VPNS.

For more information on the general PBIP-VPNS specifications and requirements, please refer to Section C.2.7.2 of the Networx contract for technical specifications and Section B.2.7.2 for pricing.

Premises- Based IP VPN Service (PBIP-VPNS) Price Basics

PBIP-VPNS provides secure, reliable transport of Agency applications across a contractor's multiprotocol label switching (MPLS) backbone infrastructure for geographically dispersed Agency locations. Pricing for PBIP-VPNS is based on a number of factors such as number of sites, bandwidth requirements, security services, and the type of access.

PBIP-VPNS provides three basic solutions:

• Intranet - provides secure tunnels between remote sites
• Extranet - enables trusted business partners to gain access to corporate information via secure/encrypted tunnels
• Remote Access - enables mobile/remote workers to gain access to secure corporate information via secure encrypted tunnels

Price components required for full end-to-end service for Intranet and Extranet PBIP-VPNS:

• VPN Gateway Management (MRC ICB)
• PBIP-VPNS uses an underlying, separately priced, contractor-provided, IP network (see Section B.2.4.1 Internet Protocol Service (IPS) for pricing)
• DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed by the Agency:
  • High Availability Options for CPE
  • Internet Gateway Service
  • Interworking Services
  • Key Management
  • Security Services
• Service Enabling Devices (SEDs) may be required to implement PBIP-VPNS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]
• Network Design and Engineering Service (NRC ICB), if necessary

  Example 1: PBIP-VPNS Intranet or Extranet

  
  

  

  
  

  • PBIP-VPNS VPN Gateway Management: Choose CLIN 200005 (VPN Gateway Management). Prices for this CLIN are not available in the unit pricer. Prices are ICB.
  • IPS Transport: Choose CLIN 744349 (Routine Dedicated T1 - CONUS MRC per port)
  • Access NRC: Choose CLIN 760111 Routine DAA T1 NRC
  • Access MRC: Choose CLIN 760311 Routine DAA T1 MRC
  • SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.
  • A Network Design and Engineering NRC may be applicable

For a remote access solution, two types of access arrangements are possible:

• Independent Access - With Independent Access, an agency may use access from a different contract to connect with the contractor's IPS transport network. There are no additional charges for interfacing with independent access.
• Embedded Access - With Embedded Access, the access prices are included in the contractor's port prices.

Price components required for full end-to-end service for Remote Access PBIP-VPNS:

• VPN Gateway Management (MRC ICB)
• PBIP-VPNS uses an underlying, separately priced, contractor-provided, IP network (see Section B.2.4.1 Internet Protocol Service (IPS) for pricing)
• Features ordered as needed by the Agency
• Service Enabling Devices (SEDs) may be required to implement PBIP-VPNS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]
• Network Design and Engineering Service (NRC ICB), if necessary

Each Networx contractor may provide variations or alternatives to the offering and pricing for PBIP-VPNS. The specific details can be found within each Contractors Networx contract files and pricing notes for PBIP-VPNS.

For more information on the general PBIP-VPNS specifications and requirements, please refer to Section C.2.7.2 of the Networx contract for technical specifications and Section B.2.7.2 for pricing.

Private Line Service (PLS) Technical Summary

PLS provides dedicated connectivity on a non-switched basis between two or more designated Service Delivery Points (SDPs) for voice, data, video, and multimedia service applications at Agency-specified bandwidths. Because PLS is a dedicated service, the maximum bandwidth purchased its always available on an end-to-end basis. Connectivity between end points is permanently established until an Agency requests a service modification, move, or disconnect.

PLS may be ordered as domestic (CONUS and OCONUS), or non-domestic service. PLS supports data rates from subrate-DS0 to T3 to SONET OC192 (including E1, E3 and OCONUS equivalent analog circuits). The range of line speeds, route diversity and reliability options provided by PLS allows an Agency to satisfy a wide variety of requirements for mission critical applications.

The figure below shows an illustrative PLS configuration. PLS provides dedicated connections that can interoperate with Government specified SDPs such as PBXs, Multiplexers, Routers, Video codecs, and Group 4 Faxes.

PLS, because it is an industry standard offering, allows for connection to and interoperation with all other networks, including other Networx Universal and Networx Enterprise carriers networks. The figure illustrates a link provided by carrier A and terminated on its POP. In the example, a second link is provided by Carrier B, including the access link between the two networks. Coordination across the carrier networks may be required for interoperability.

PLS is a legacy service that was offered on FTS2001 contracts that supports the full range of technical capabilities available on commercial offerings. PLS provides transparency to any transmission protocol used and ensures visibility to all bit sequences transmitted through the SDP. Data rates supported by PLS include:

• Subrate-DS0 and DS0.
• Channelized or Unchannelized T1, T3, E1 and E3.
• SONET OC-1 and OC1 Virtual Tributary.
• Channelized or Concatenated SONET OC-3, OC-12, OC-48, and OC-192.
• Analog circuits.

Non-domestic geographic coverage and offerings for PLS is specific to the different Networx service providers.

Mandatory PLS features are detailed in the Networx Contracts Section C.2.5.1.2.1 and are briefly described below:

• Multipoint Connection

  Allows interconnection of three or more subscribers premises as follows:

  • In Branch Off mode where all SDPs are treated as one shared medium and each point can autonomously send and receive data.
  • In Drop-and-Insert mode where channels of a channelized T1, T3, SONET OC-3, or SONET OC-12 service category can be dropped off and new channels can be simultaneously picked up or inserted.
• Special Routing

  Provides different routes for PLS circuits based on the following arrangements:

  • Transport Diversity between connecting POPs. Provides two or more physically separated diverse routes for PLS circuits (each pair of diverse circuits constituting a relationship pair). The diverse routes do not share common telecommunications facilities or offices and a minimum separation of 30 feet is maintained throughout all diverse routes. If diversity is not available for a location, an acceptable negotiated solution will be proposed on an individual case basis.
  • Transport Avoidance between connecting POPs. A capability will be provided for an Agency to specify a geographic location or route to avoid on the network. If that avoidance is not available in some locations, an acceptable negotiated solution will be proposed on an individual case basis.

    Internal control (i.e., electronic flagging of routes) will be established for the PLS to prevent accidental dismantling of diversified/avoidance routes, especially during routine route optimization initiatives by the contractor.

• 7.5 kHz Audio
  Compression of a customer provided 7.5 kHz audio signal, delivered and received in analog form, for transmission over a DS0 channel.

Optional PLS features

PLS features that are optional to offer are:

• Voice grade conditioning for analog lines.
• Low Bit Rate Voice capability to allow voice at 32 Kbps for analog data at 4.8 Kbps in conformance to Adaptive Differential Pulse Code Modulation (ADPCM).

Each Networx contractor may provide variations or alternatives to the offering and pricing for PLS. The specific details can be found within each Contractor's Networx contract files and pricing notes for PLS.

For more information on the general PLS specifications and requirements, please refer to Section C.2.5.1 of the Networx contract for technical specifications and Section B.2.5.1 for pricing.

PLS Price Basics

PLS provides facilities for duplex (bi-directional) service between two or more specified end points; accordingly, PLS is priced without regard for direction of carried traffic. PLS is a legacy service that was offered on FTS2001 contracts under Dedicated Transport Service (DTS).

Price components required for full end-to-end service for Domestic and Non-Domestic PLS:

• PLS Transport is based on the Originating and Terminating locations and consist of the following pricing elements:
  • Domestic to Domestic (same region): Monthly recurring charge with a fixed component and charge per mile. Distance between locations is calculated using airline miles between POPs
  • CONUS to OCONUS: Monthly recurring charge with a fixed component, charge per mile from the CONUS POP to the CONUS gateway, and a fixed monthly recurring charge from the CONUS gateway to the OCONUS POP
  • OCONUS to OCONUS (different region): Fixed monthly recurring charge based on originating and terminating Country/Jurisdiction IDs
  • Domestic to Non-Domestic: Monthly recurring charge with a fixed component, charge per mile from the Domestic POP to the Domestic gateway, and a fixed monthly recurring charge from the Domestic gateway to the Non-Domestic POP
  • Non-Domestic to Non-Domestic (different region): Fixed monthly recurring charge based on originating and terminating Country/Jurisdiction IDs
  • Non-Domestic to Non-Domestic (same region): Fixed monthly recurring charge based on originating and terminating POP IDs
• DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed by the Agency:
  • Multipoint Connection
  • Special Routing
  • 7.5 kHz Audio
• Service Enabling Devices (SEDs) may be required to implement PLS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Note: The Networx Pricer automatically calculates the distance when given the originating and terminating locations.

SONETS Technical Summary

SONETS is a Networx service that enables Agencies to build optical transport networks that are high bandwidth, with a high level of reliability and traffic isolation. These transport networks are built using facilities from the contractor's optical backbones. SONETS provides proactive performance monitoring and enables self-healing functions with robust network management.

SONET is the U.S. standard for fiber optic synchronous transmission rates from 51.84 Mbps (OC-1) to beyond 13.27 Gbps (OC-256). The International Telecommunications Union version of the standard is the Synchronous Digital Hierarchy (SDH), which begins at 155 Mbps. SONETS is capable of interoperating with SDH in CONUS by providing gateway functions to transport SDH traffic over a SONET infrastructure.

The diagram below illustrates a CONUS wide optical transport network built over a contractor's optical backbone that interconnects Agency's headquarters with branch offices. The Agency's optical network depicted is able to deliver bandwidth via electrical User to Network Interfaces (UNIs) i.e. DS1, DS3, E1, E3 and optical carrier (OC) interfaces i.e. OC-3 up to OC-192.

The contractor's optical backbone in the example below is built by multiple SONET rings designed with two different protection methods (e.g., UPSR, BLSR). The core rings use Bidirectional Switched Ring (BLSR) protection and the metro/access rings uses Unidirectional Path Switched Ring (UPSR) protection. The protection methods define the amount of bandwidth allocated for protection and the number of fibers used for interconnection.

Example SONETS Implementation

SONETS may be ordered in Metro areas or long haul CONUS wide, with OCONUS and Non-Domestic locations optional to offer. As specified in Section C.2.5.2.1.3 of the Networx contracts, the Agency can order SONETS that will connect to and interoperate with:

• Government specified terminations (e.g., Service Delivery point (SDP)-to-SDP, Point of Presence (POP)-to-POP).
• All other networks including other Networx contractors networks where industry standards are used.

General

Basic SONETS is a point-to-point bi-directional, single link service. Private networks with more complex topologies such as rings and mesh can also be provided with Next Generation SONETS capabilities.

SONETS transport technologies have evolved from a strict Time Division Multiplexing (TDM) channel allocation to more flexible bandwidth allocation methods provided by Next Generation SONET technologies. These include Link Adjustment Capacity Scheme (LCAS), Generic Framing Procedure (GFP) and Virtual Concatenation (VCAT). Basic SONET has always enabled Agencies to interconnect dissimilar networks such as Asynchronous Transfer Mode (ATM), Frame Relay (FR), and IP. However, with the additional protocols supported by Next Gen SONET (LCAS, GFP and VCAT), bandwidth efficiency has been considerably improved.

SONETS Technical Capabilities

Agencies subscribing to SONETS may opt for a single connection point-to-point which will be a dedicated connection between two sites with a dedicated, built-in protection channel that will not be used by any other customer's traffic. The Networx contractors support other network topologies such as rings and mesh. More detailed descriptions of SONETS capabilities are provided in Section C.2.5.2.1.4 of the Networx contracts.

SONETS Features

SONETS features that may be orderable are detailed in Section C.2.5.2.2.1 of the Networx contracts and are listed below:

• Bandwidth On Demand (BoD - Optional to offer).
• Channelization (SONET interfaces to Agency CPE that seamlessly interface with the Contractor's SONET network for data transport).
• Dedicated Metro Ring.
• DS1 Rate Synchronization Services (Optional to offer).
• Equipment Protection1:1 and 1+1 - CPE (Protection to user network interfaces at the SDP, where the protection channel is bridged to a failed working channel).
• Network Protection.
• Framing for Electrical Interfaces.
• Geographic Diversity protection.
• Local and Remote Node Multiplexing.

Each Networx contractor may provide variations or alternatives to the offering and pricing for SONETS. The specific details can be found within each Contractors Networx contract files and pricing notes for SONETS.

For more information on the general SONETS specifications and requirements, please refer to Section C.2.5.2 of the Networx contract for technical specifications and Section B.2.5.2 for pricing.

SONETS Price Basics

SONETS is highly reliable transport that provides proactive performance monitoring thus preventing single and multiple failures, and further enables self-healing functions and robust network management. SONETS is a service that was not offered on the original FTS2001 contracts. SONETS is available as:

• Fixed Bandwidth (FB): Transport based on a fixed amount of bandwidth
• Bandwidth-on-Demand (BoD): Transport based on measured bandwidth usage (BoD is optional for Networx contractors. It is currently not offered but may be offered in the future.)

The MRC for transport consists of a fixed component plus a distance-dependent (per mile) component. The mileage charge for SONETS transport is based on the total mileage between the contractor's designated connecting POPs for any two customer locations. CONUS-to-CONUS distance is calculated using the distance formula:

• Distance (miles) = ROUNDUP(SQRT(((V1-V2)^2+(H1-H2)^2)/10),0)
  
• Where (V1, H1) and (V2, H2) are the V and H coordinates of the locations, respectively

Distance involving OCONUS or non-domestic locations is calculated using airline miles. Note: The Networx Pricer automatically calculates the distance when given the originating and terminating locations.

Price components required for full end-to-end service for Domestic and Non-Domestic FB SONETS:

• SONETS Transport monthly recurring charge with a fixed component and charge per mile.
• DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed by the Agency
  • Channelization
  • Dedicated Metro Ring is priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer
  • Equipment Protection 1:1 - CPE
  • Equipment Protection 1+1 - CPE
  • Equipment protection - Network Side
  • Framing for Electrical Interfaces
  • Geographic Diverse protection
  • Local and Remote Node Multiplexing
• Service Enabling Devices (SEDs) may be required to implement SONETS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Example 1: Domestic SONETS FB OC-3






• SONETS Transport: Choose CLIN 154013 Routine Fixed Bandwidth (FB) SONET OC-3 MRC
• Access NRC: Choose CLIN 760118 Routine DAA OC-3 NRC (ICB) for both ends of the OC-3 Circuit. Prices for this CLIN are not available in the unit pricer. Prices are ICB.
• Access MRC: Choose CLIN 760318 Routine DAA OC-3 MRC (ICB) for both ends of the OC-3 Circuit. Prices for this CLIN are not available in the unit pricer. Prices are provided by the contractor after a street address has been provided and a case number has been assigned.
• SEDs must be chosen based on equipment required at each location. CLINs differ between vendors.

Each Networx contractor may provide variations or alternatives to the offering and pricing for SONETS. The specific details can be found within each Contractors Networx contract files and pricing notes for SONETS.

For more information on the general SONETS specifications and requirements, please refer to Section C.2.5.2 of the Networx contract for technical specifications and Section B.2.5.2 for pricing.

TeleWorking Services (TWS) Technical Summary

Agencies use Networx TeleWorking Services (TWS) to enable employees to perform assigned work duties remotely from their primary office location. TWS offer Agencies services ranging from providing a teleworker's basic telecommunications connectivity to providing a fully managed service comprising a comprehensive set of features including training for the teleworker.

TWS enables geographically dispersed Agency staff to perform their assigned job duties through the use of electronically supported communications and collaboration capabilities. TWS is available in CONUS, OCONUS, and Non-Domestic locations.

TWS effectively enhances the overall Agency mission and business processes. This service offers employees greater flexibility in their working location and hours. There is evidence of an improvement in employee morale as workers avoid the long commutes and lost time. TWS meets the Federal telework mandates including the Public Law 106-346 Section 359.

The illustrative TeleWorking scenario below shows teleworker's at a remote office in New York, a small home office in Maine, and a mobile location in Colorado, all in direct voice and data communication with their central office in Washington D.C. Teleworkers typically establish a connection via a Virtual Private Network (VPN) tunnel through software provided by the Networx contractor.

TWS is an application layer service that uses underlying network services to enable remote communications. It connects geographically dispersed teleworkers and interoperates with the Public Switched Telephone Network (PSTN) and the Internet. It will interface with the following Networx services:

• Voice Services (Section C.2.2 of the Networx contracts).
• Internet Services (Section C.2.4 of the Networx contracts).
• Private Line Services (Optional) (Section C.2.5.1 of the Networx contracts).
• Combined Services (Section C.2.6 of the Networx contracts).
• Virtual Private Network Services (Section C.2.7 of the Networx contracts).

Technical Capabilities

(TWS) technical capabilities are described in detail in Section C.2.12.1.1.4 of the Networx contracts and are summarized below:

• Two tiers of TWS
  • Tier 1 Basic - The Agency manages the service. The contractor provides basic connectivity and related components necessary to establish telework capabilities for the subscriber.
  • Tier 2 Enhanced - The contractor designs and implements a custom service for the subscribing Agency.
• Connectivity to enable data and voice services for a remote teleworker location.
• Secure services with authentication and encryption capabilities before granting access to authorized users.
• Audit trails, management utilities, class of service capabilities, multiple protocols, and multiple domains and dynamic/static addressing.
• Capability to deliver TWS to specified endpoint devices such as analog telephones, FAX devices, IP phones, etc.

Features

• Anti-Virus Management.
• Follow Me Service (Optional).
• Instant Messaging (Optional).
• Intrusion Detection and Prevention.
• Managed Firewall.
• Managed Moves, Adds, and Changes Support.
• Teleworker Firewall that is premise based at the TWS endpoint location.
• Video Conferencing (Optional).
• Voice Mail.
• Voice Service with call waiting, caller ID, Caller ID Block, and three way conference calling.
• Vulnerability Scanning.

Each Networx contractor may provide variations or alternatives to the offering and pricing for TWS. The specific details can be found within each Contractor's Networx contract files and pricing notes for TWS.

For more information on the general TWS specifications and requirements, please refer to Section C.2.12.1 of the Networx contract for technical specifications and Section B.2.12.1 for pricing.

TWS Price Basics

(TWS) provides remote communications to Agency's networks and applications using underlying Networx services. TWS offers two tiers of service ranging from basic connectivity to a custom service:

• Tier 1 - Basic: The Agency manages the service. The contractor provides basic connectivity and related components necessary to establish telework capabilities for the subscriber.
• Tier 2 - Enhanced: The contractor designs and implements a custom service for the subscribing Agency. Prices for Tier 2 are on an Individual Case Basis (ICB) and are not available on the unit pricer.

TWS was not offered on the original FTS2001 contracts.

Price components required for TWS:

• Underlying transport services to provide connectivity
• Basic service (NRC and/or MRC per seat)
• Features ordered as needed by the Agency:
  • Anti Virus Management*
  • Intrusion Detection and Prevention*
  • Managed Firewall*
  • Managed Moves, Add, and Changed Support
  • Teleworker Firewall
  • Voice Mail
  • Voice Service*
  • Vulnerability Scanning*
  • Video Conferencing*
• Service Enabling Devices (SEDs) may be required to implement TWS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

* These features are not available under TWS on the unit pricer. Please see the individual services for pricing.

Each Networx contractor may provide variations or alternatives to the offering and pricing for (TWS). The specific details can be found within each contractor's Networx contract files and pricing notes for (TWS).

For more information on the general TWS specifications and requirements, please refer to Section C.2.12.1 of the Networx contract for technical specifications and Section B.2.12.1 for pricing.

TFS is an inbound voice service which provides a toll free number (no charge to caller) with advanced features and routing capabilities that can be used by an Agency to provide enhanced customer service. TFS capabilities include voice applications, network based Interactive Voice Response (IVR) announcements, call routing to the appropriate party, and caller self service options to effectively manage inbound calls for delivering services to the Agency's callers.

TFS may be ordered as a domestic (CONUS and OCONUS) or non-domestic service with numbering consistent with toll free codes standards in the country in which the call originates.

The diagram below shows a typical TFS configuration. TFS can be used for individuals, help desks and call centers, to provide access to recorded announcements, access to voice mail service, or to provide a telephone number for an individual. TFS connects to and interoperates with the Public Switched Telephone Network (PSTN) including both wireline and wireless transport. TFS utilizes the underlying Voice Service (VS) for connectivity and is offered for both dedicated and switched terminating access arrangements.

TFS provides a similar capability to FTS2001 Toll-Free Service. TFS will support the full range of technical capabilities that are available in commercial offerings. These include an intelligent call routing capability to meet an Agency's specific needs. An Agency can use presently assigned toll free numbers or request "vanity" toll free numbers (e.g., 1-800-CALL GSA) which will be provided if available. TFS supports portability of the assigned toll free number and can deliver inbound calls to a single site or to multiple sites. A brief summary of the other TFS technical capabilities is presented below:

• Universal International Toll Free Number service (UIFN) enabling the Agency to request a single, unique toll free number that is the same throughout the world (Where available commercially from participating countries)
• Busy signal or recorded announcements for all calls encountering network congestion and/or terminating egress congestion. The Agency determines the choice of announcements.
• A capability for customized network intercept to the recorded announcements and messages when a call cannot be completed. The announcement can be recorded by the contractor or remotely by the subscribing Agency in English and Spanish languages (other languages are optional).
• Dialed Number Identification Service (DNIS) that enables multiple toll free numbers to be routed and uniquely identified on a shared trunk group.
• Automatic Number Identification (ANI) to assist Agencies with identifying malicious or emergency calls and the help desk.

TFS also provides a wide range of service features that are listed below and described in the Networx Contracts Section C.2.2.3.2.1 Toll-Free Service Features:

• Agency based routing database
• Alternate Routing (also known as "Cascade" routing)
• ANI
• ANI Based Routing
• Announced Connect
• Announcements
• Call Prompter
• Call Redirection
• Computer Telephony Integration (CTI)
• Custom Call Records
• Day of Week Routing
• Day of Year Routing (Holiday Routing)
• In Route Announcements
• Interactive Voice Response (IVR)
• Make Busy Arrangement
• Network Call Distributor
• Network Queuing (Optional)
• NPA/NXX Routing
• Office Locator Database Service
• Operator Connect Bridging
• Percentage Call Allocation
• Real Time Reporting
• Routing Control
• Service Assurance Routing
• Speech Recognition
• Tailored Call Coverage
• Time of Day Routing

Each Networx contractor may provide variations or alternatives to the offering and pricing for TFS. The specific details can be found within each Contractors Networx contract files and pricing notes for TFS.

For more information on the general TFS specifications and requirements, please refer to Section C.2.2.3 of the Networx contract for technical specifications and Section B.2.2.3 for pricing.

Toll-Free Service (TFS) Price Basics

TFS provides a similar capability to FTS2001 Toll-Free Service. TFS provides basic inbound toll free calling with added capabilities to enable Agencies to effectively manage inbound calls. It includes options for termination of calls for the toll free number over either dedicated access or switched access arrangements. Calls can be either:

• Domestic to Domestic or
• Non-Domestic to Domestic

Price components required for full end-to-end service for Domestic and Non-Domestic to Domestic TFS:

• For switched access termination
  • TFS Transport per-six second increment charge
  • Access: Originating and terminating access costs are included in transport price
• For dedicated access termination
  • TFS Transport per-six second increment charge
  • Access: DAA Originating and Terminating Wireline Access (MRC) and (NRC)
  • Features ordered as needed by the Agency:
    • Agency based routing database
    • Alternate Routing (also known as "Cascade" routing)
    • ANI
    • ANI Based Routing
    • Announced Connect
    • Announcements
    • Call Prompter
    • Call Redirection
    • *Computer Telephony Integration (CTI)
    • Custom Call Records
    • Day of Week Routing
    • Day of Year Routing (Holiday Routing)
    • In Route Announcements
    • *Interactive Voice Response (IVR)
    • Make Busy Arrangement
    • *Network Call Distributor
    • Network Queuing (Optional)
    • NPA/NXX Routing
    • Office Locator Database Service
    • Operator Connect Bridging
    • Percentage Call Allocation
    • Real Time Reporting
    • Routing Control
    • Service Assurance Routing
    • *Speech Recognition
    • Tailored Call Coverage
    • Time of Day Routing
  • Service Enabling Devices (SEDs) may be required to implement TFS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

  * Some or all price components are priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer.

  Example 1: TFS with Switched Access Termination

  

  • TFS Transport: Choose CLIN 34001 (TFS Transport Usage Price - Switched access termination per six-second increment)
  • Access: For calls terminated over a switched access arrangement, the originating and terminating access costs are included in the transport pricing.
  • SEDs must be chosen based on equipment required at each location. CLINs differ between vendors.

  Example 2: TFS with Dedicated Access Termination

  

  • TFS Transport: Choose CLIN 34002 (TFS Transport Usage Price - Dedicated access termination per six-second increment)
  • Access NRC: Choose CLIN 760111 Routine DAA T1 NRC for the terminating end of the T1 dedicated access circuit
  • Access MRC: Choose CLIN 760311 Routine DAA T1 MRC for the terminating end of the T1 dedicated access circuit
  • SEDs must be chosen based on equipment required at each location. CLINs differ between vendors.

A payphone add-on charge applies to toll-free calls placed from payphones. The payphone add-on charge does not apply to calls placed from payphones paid for by inserting coins during the progress of the call.

Flat rate pricing is provided on a per Service Delivery Point (SDP) basis, for call between locations in CONUS, Alaska, and Hawaii. Flat rate pricing packages are available based upon blocks of minutes used per month. Overage usage charges occur if the maximum monthly minutes are exceeded.

Price components required for full end-to-end service for Flat Rate TFS:

• For switched access termination
  • TFS Transport flat rate MRC (inclusive of a pre-determined number of maximum allowable minutes per month)
  • Overage usage per additional six-second increment for minutes of use above the maximum allowed per month
  • Access: Originating and terminating access costs are included in transport price
• For dedicated access termination
  • TFS Transport flat rate MRC (inclusive of a pre-determined number of maximum allowable minutes per month)
  • Overage usage per additional six-second increment for minutes of use above the maximum allowed per month
  • Access: DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• Features ordered as needed by the Agency
• Service Enabling Devices (SEDs) may be required to implement TFS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

Each Networx contractor may provide variations or alternatives to the offering and pricing for TFS. The specific details can be found within each Contractors Networx contract files and pricing notes for TFS.

For more information on the general OWS specifications and requirements, please refer to Section C.2.2.3 of the Networx contract for technical specifications and Section B.2.2.3 for pricing.

Video Teleconferencing Service (VTS) Technical Summary

VTS supports diverse Agency video teleconferencing needs, such as conferencing, distance learning, remote testimony, and other applications. This service enables participants at different locations worldwide to simulate face to face meetings and conduct interactive dialogue with instant sharing of various applications and documents. VTS supports desktop-PC, portable roll about, and fixed conference room for point-to-point and multi-point conferencing with audio conference add-on capabilities.

VTS is an application-layer service that uses underlying network service(s) to carry video traffic. VTS can operate over circuit-switched networks and Internet Protocol (IP) networks, including the Public Switched Telephone Network (PSTN) and other Networx contractor's networks. Networx Circuit Switched Data Service (CSDS), Network-Based IP VPN Service (NBIP-VPNS), and Private Line Service (PLS) can provide connectivity to the contractor's multipoint video conferencing bridge. VTS provides appropriate adapters and gateways for coding conversion, video format conversion, rate adaptation, protocol conversion, and dissimilar networks.

The diagram below shows the various capabilities of VTS, such as point-to-point and multi-point video conference, reservation, and gateway capabilities.

VTS is similar to Video Teleconferencing Service on the FTS2001 contracts. It supports the full range of technical capabilities that are available in commercial offerings. These capabilities include:

• On-demand and reservation-based video teleconferencing.
• Two way video, one way video with interactive voice, and/or the instant sharing of various types of documents/data files among VTS participants as an adjunct to the video teleconferencing session.
• Document sharing (data conferencing) which enables conference participants to interactively view, edit, and share or transfer data files and documents.
• Audio conference add-on capability to support non-video conference participants in a VTS call.
• Different modes of VTS operations:
  • Dial Out mode: Centralized arrangements where the conference bridge operator initiates a call and dials each participant at least 15 minutes prior to the conference start time.
  • Meet Me (Dial In) mode: Each participant is responsible for individually initiating a call and dialing into the conference bridge.
  • Mixed Dial mode: A combination or mix of both dial out and meet me (dial in) callers.
• During a multi-point conference, the addition of a party to, or the deletion of a party from, the conference will be indicated by a tone or by a verbal or visual announcement.
• Multipoint video conference capabilities:
  • Voice Activation. The video signal transmitted to all VTS conference call locations is automatically switched by voice activation when the speaker's audio signal exceeds a preset level for a specified amount of time.
  • Continuous Presence. Multiple VTS locations may be viewed simultaneously on the same video screen. If the number of locations participating in the video conference exceeds the number being viewed via continuous presence, the selection of the video from a participating location that is displayed can be coordinated between the VTS operator and the participants.
  • Chairperson Control. The chairperson, in control of the VTS, sends his or her own video or selects a return video from one of the participating locations to be sent to all participating locations. The chairperson has the capability of transferring control of the video teleconference to another presenter at his or her location.
  • Lecture Control (Broadcast Video with Audio Return Only). The video from the lecturer's location is transmitted to all VTS participants. Audio, but no video, is returned to the lecturer's location from all other participating locations. The lecturer can select one or all of the audio signals for transmission to all participants.
• Reservation system capabilities:
  • Schedule a multi-point or point-to-point VTS conference within 30 minutes after the advance reservation request, and to schedule a VTS conference up to one year in advance by voice, fax, or electronic means.
  • VTS users can cancel a video teleconference prior to the scheduled start time of the video teleconference.
  • Based on availability of bridging capacity and required network functions, request a delay in the scheduled termination time of a VTS conference, which is already in progress, is granted if the request is made at least 20 minutes before the scheduled terminating time of the VTS.
  • Ability for VTS authorized users to schedule one or more video teleconferences by time and day of week either as a single event or recurring event on a daily, weekly, monthly or other periodic basis.
  • Allows users with operating at different (disparate) data rates/speeds to connect and conference at their preferred speed.
  • Ability to add participants or join a conference.
• Ability for VTS users to request operator assistance to resolve technical issues during a video conference.

These and other service capabilities are detailed in Section C.2.8.1.1.4 Technical Capabilities of the Networx contracts.

VTS also offers features that complement the basic service. These features are described in Section C.2.8.1.2 Features of the Networx contracts and are listed below:

• Attended Service.
• Certification.
• Coding Conversion (Transcoding).
• Rate Adaptation.
• Security - Sensitive but Unclassified (SBU).
• Security - Classified [Optional].

Each Networx contractor may provide variations or alternatives to the offering and pricing for VTS. The specific details can be found within each Contractor's Networx contract and pricing notes for VTS.

VTS Price Basics

VTS enables participants at different locations to simulate face-to-face meetings and conduct interactive dialogue with instant sharing of documents and applications. VTS conferences are available among two or more locations. VTS' audio conference add-on capability supports non-video conference users via a VTS call. Data connectivity is required for VTS. VTS provides the following components:

• Dedicated VTS - The prices for dedicated VTS are in addition to any applicable charges for the underlying access and transport service used for video teleconferencing.
• Dial-in VTS - Participants individually dial into the conference bridge. The prices for dial-in VTS are in addition to any applicable charges for the underlying access and transport service used for video teleconferencing.
• Dial-out VTS - Conference bridge operator initiates call to each participant. The prices for dial-out VTS include the transport and terminating access charges to the user.

Conferences canceled prior to scheduled start time are not billable. After the scheduled start time, all reserved ports and features are billed for the entire reserved duration whether actually used or not. An ongoing conference that is interrupted through no fault of any of the active participating locations is billed at the next lower completed billing increment, and if such an ongoing conference is interrupted in the first billable time increment, there is no billing for any time of that conference session. VTS is similar to Video Teleconferencing Service on the FTS2001 contracts.

• Price components required for full end-to-end basic service for VTS:
• Underlying transport services, such as IPS, CSDS, PLS, or NBIP-VPNS, to provide video/data connectivity
• Basic service consisting of one of the following:
• Dedicated VTS (MRC per port)
• Dial-in VTS (usage charges per minute per port)
• Dial-out VTS (usage charges per minute per port)
• Features ordered as needed by the Agency:
  • Attended service
  • Certification
  • Coding Conversion (Transcoding)
  • Rate Adaptation
  • Security - Sensitive but Unclassified
• Service Enabling Devices (SEDs) may be required to implement VTS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]

Each Networx contractor may provide variations or alternatives to the offering and pricing for VTS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VTS.

For more information on the general VTS specifications and requirements, please refer to Section C.2.8.1 of the Networx contract for technical specifications and Section B.2.8.1 for pricing.

Voice Service (VS) Technical Summary

VS is a service comprised of voice circuits typically capable of carrying one telephone conversation or its digital equivalent. In CONUS analog voice circuits have been replaced with digital equivalent circuits with a 64 kbps standard for both Time Division Multiplex (TDM) and Internet Protocol (IP) based backbone circuits. VS supports outgoing voice calls by direct station-to-station dialing from on-net and off-net locations worldwide, including calling cards.

VS calls can be initiated from many types of telephony equipment, including single-line and multi-line key sets. VS calls typically traverse trunks to PBX and Centrex equipment and terminate in a variety of telephony equipment which may include secure telephone units and connection to Inmarsat mobile satellite devices.

The diagram below shows VS connectivity from on-net locations, such as Agencies served by PBXs and Centrex Central Offices. In addition, VS is interoperable with the Public Switched Telephone Network (PSTN) and all Networx contractors VS networks.

VS supports the full range of technical capabilities that are available in commercial offerings. It is similar to Switched Voice Service (SVS) on the FTS2001 contracts. These capabilities include:

• Uniform numbering plan:
  • Unique directory number for all on-net Government locations, including support of existing FTS2001 numbers.
  • PSTN (including both wireline and wireless networks) numbers and any future changes to PSTN numbers
  • Non-commercial Agency specific private 700 numbers
    • Allow transparency and interconnectivity between the Networx contractor's network and other networks. The contractor provides gateways between the networks as needed.
    • Support originating and terminating on-net calls. Incoming off-net calls from the PSTN are blocked unless an Agency specific request for the service gateway has been received and implemented.
  • Networx contractor's network-specific private numbers, including access to contractor's operators, trouble reporting, or other special applications.
• Network intercept to a recorded announcement is provided as an inherent network capability when a call cannot be completed, for example:
  • Number disconnected (disconnected numbers are not reassigned for at least 90 days for those situations where the contractor controls number assignment).
  • Time-out during dialing.
  • Network congestion.
  • Denial of access to off-net and non-domestic calls.
  • Denial of access to features.
• User-to-user signaling via ISDN D-channel during a call.
• Voice quality at least equal to 64 kbps PCM (standard: ITU G.711) for both TDM and
• VoIP based VS backbone networks.

These and other service capabilities are detailed in Section C.2.2.1.1.4 Technical Capabilities of the Networx contracts.

VS also offer features that complement the basic service. These features are described in Section C.2.2.1.2 Features of the Networx contracts.

• Agency-Recorded Message Announcements.
• Authorization Codes.
• Calling Cards (Post-paid and Pre-paid).
• Caller Identification (ID).
• Call Screening for users (class of service and restrictions).
• Customized Network Announcement Intercept Scripts.
• Internal Agency Accounting Code.
• Off-Net Information Calls.
• Operator Services.
• Support for Government travel cards.
• Suppression of Calling Number Delivery.

Each Networx contractor may provide variations or alternatives to the offering and pricing for VS. The specific details can be found within each contractor's Networx contract and pricing notes for VS.

For more information on the general VS specifications and requirements, please refer to Section C.2.2.1 of the Networx contract for technical specifications and Section B.2.2.1 for pricing.

Voice Service (VS) Price Basics

VS provides a similar capability to FTS2001 Switched Voice Service. VS supports outgoing voice calls by direct station-to-station dialing from on-net and off-net locations, including calling cards. Calls can be either:

• CONUS to CONUS
• CONUS to OCONUS/Non-Domestic
• OCONUS/Non-Domestic to CONUS
• OCONUS/Non-Domestic to OCONUS/Non-Domestic

Price components required for full end-to-end service for VS:

• For switched access origination
  • VS Transport per-six second increment charge.
  • Access: Originating and terminating access costs are included in transport price.
• For dedicated access origination
  • VS Transport per-six second increment charge.
  • Access: DAA Originating and Terminating Wireline Access (MRC) and (NRC).
• Features ordered as needed by the Agency:
  • Agency-Recorded Message Announcements.
  • Authorization Codes/Calling Cards.
  • Caller Identification (ID).
  • Call Screening for users.
  • Internal Agency Accounting Code.
  • Off-Net Information Calls.
  • Operator Services.
  • Suppression of Calling Number Delivery.
• Service Enabling Devices (SEDs) may be required to implement VS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]

VOIPTS provides transport of Agency voice communications as data packets over a contractor's Internet Protocol (IP) network as a cost effective alternative to legacy voice systems and architectures. VOIPTS allows voice calls, originating from on-net locations to be connected to both on-net and off-net locations by direct dialing.

VOIPTS facilitates connections to and interoperability with the Public Switched Telephone Network (PSTN), including both wireline and wireless networks, in both domestic and non-domestic locations. The primary cost saving application for VOIPTS is to replace dedicated tielines between Agency PBX's. As shown in the figure below, VOIPTS gateways enable interoperability between Voice over IP (VoIP) networks and non-IP networks and devices. Gateway functions include:

• Access Gateway-Provides access to the contractor's network via an Ethernet port from an Agency's local area network (LAN) or other IP equipment.
• Trunking Gateway-Provides access and interoperability between the IP network and the Agency's Time Division Multiplexing (TDM) based equipment (PBX's etc).
• PSTN Gateway-Provides transparent access to and interoperability with the domestic and non-domestic PSTN.

Example of VOIPTS Implementation

The service has the capability for calls to be re-routed to the PSTN if VOIPTS fails or is unavailable to complete calls. VOIPTS provides cost savings by the capability to bypass the PSTN entirely.

VOIPTS continues and extends a service that was offered on FTS2001 contracts. The service technical capabilities are detailed in Section C.2.7.8.1.4 of the Networx contracts which include the following:

• Capability for VOIPTS subscribers to establish and receive telephone calls between on-net locations and originate calls to off-net locations.
• A routing prioritization scheme (class of service) scheme that assigns a higher priority to time sensitive VOIPTS packets than to non-time sensitive packets.
• Interoperability with public and private Agency network dial plans.
• Gateways for interoperability between diverse networks (illustrated in the above figure) that comply with the subscribing Agency's interface requirements.
• Flexible alternate routing capability (overflow and failover routing) to rout off-net calls to the PSTN if VOIPTS is unavailable.
• Capability to interoperate with Agency firewalls and security layers.
• Secure contractor's web site for VOIPTS performance and management reports.
• Call routing capability between phone numbers and IP addresses or URLs.
• Security practices and safeguards to minimize susceptibility to security issues and prevent unauthorized access.

VOIPTS is a basic service which does not have additional orderable features.

Each Networx contractor may provide variations or alternatives to the offering and pricing for VOIPTS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VOIPTS.

For more information on the general VOIPTS specifications and requirements, please refer to Section C.2.7.8 of the Networx contract for technical specifications and Section B.2.7.8 for pricing.

VOIPTS Price Basics

VOIPTS enables Agencies to leverage the WAN data network to transport voice communications between Agency locations. VOIPTS uses an underlying, separately priced, contractor provided IP network to provide on-net calling. On-net calling is free of usage charges up to the performance capability of the VOIPTS interface hardware. Management of the network is provided by the underlying network service. Calls to off-net locations are delivered via a contractor provided PSTN gateway. The price structure consists of outbound usage to off-net locations and is priced in six second increments.

VOIPTS continues and extends a service that was offered on FTS2001 contracts.

Price components required for full end-to-end service for Domestic and Non-Domestic VOIPTS:

• Underlying contractor provided IP network, such as NBIP-VPNS, to provide on-net calling
• DAA Originating and Terminating Wireline Access (MRC) and (NRC)
• VOIPTS Transport outbound usage charge to off-net locations per six-second increment
• No features available currently
• Service Enabling Devices (SEDs) may be required to implement VOIPTS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

This document only addresses the VOIPTS service at contract award. Each Networx contractor may provide variations or alternatives to the offering and pricing for VOIPTS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VOIPTS.

For more information on the general VOIPTS specifications and requirements, please refer to Section C.2.7.8 of the Networx contract for technical specifications and Section B.2.7.8 for pricing.

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis. These are:

• 1.Managed Tiered Security Service (MTSS)
• 2.Managed Firewall Service (MFS)
• 3.Intrusion Detection and Prevention Service (IDPS)
• 4.Vulnerability Scanning Service (VSS)
• 5.Anti-Virus Management Service (AVMS)
• 6.Incident Response Service (INRS)
• 7.Managed E-Authentication Service (MEAS)
• 8.Secure Managed E-Mail Service (SMEMS)

The VSS offering is described below.

VSS Technical Summary

VSS allows Agencies to conduct effective and proactive assessments of critical networking environments, and correct vulnerabilities before they are exploited. VSS searches for security holes, flaws, and exploits on Agency systems, networks and applications. VSS helps to guard the Agency network infrastructure against emerging threats.

VSS builds on the FTS2001 contracts offerings. The service connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports Internet connectivity.

The Agency may order one or more of the following:

• External Vulnerability Scanning which tests Internet connected nodes in the network, including Web environments
• Internal Vulnerability Scanning which looks for local/host flaws and internal threats, usually inside the firewall

The diagram below illustrates a sample VSS implementation. Illustrative hardware such as edge routers, firewalls and Agency servers are not provided as part of the VSS.

VSS also provides an Application Programming Interface (API) feature. This allows the Agency to integrate the service into its own tools and applications, as required, using for example, a standard Extensible Markup Language (XML) API. This enables Agency security personnel to assess the vulnerabilities of hosts, export vulnerability data, etc.

VSS Technical Detail

VSS tests for vulnerabilities by comparing scanned information to threat data contained in a database. VSS can also simulate a real intrusion in a controlled environment, in order to gauge a network's susceptibility to attacks. The service performs external scans by remotely probing a network for vulnerabilities that generally come from the outside; and internal scans which detect flaws originating from the inside.

VSS supports a range of technical capabilities that are available in commercial offerings. The contractor establishes, implements, and maintains the vulnerability scanning service, which operates on a 24x7 basis. The systems periodically probe networks, including operating systems and application software, for potential openings, security holes, and improper configuration. VSS explores vulnerabilities in, but not limited to, the following areas as applicable:

• Backdoors.
• Brute Force Attacks.
• Network Sniffing.
• Protocol Spoofing.
• Trojan Horses.

The VSS contractor proactively identifies network vulnerabilities, and proposes appropriate countermeasures, fixes, patches, and workarounds. The contractor notifies the Agency of vulnerabilities discovered, and also provides secure Web access to vulnerability information, scan summaries, device/host reports, and trend analyses. VSS provides scan scheduling flexibility to the Agency in order to minimize any interruptions in normal business activities. The service also supports non-destructive and non-intrusive vulnerability scans that will not crash the systems being analyzed, or disrupt Agency operations. The scans will not provoke a debilitating denial of service condition on the Agency system being probed. The VSS scanning engine is regularly updated with new vulnerabilities information in order to maintain effectiveness of the service. These and other VSS service capabilities are detailed in Section C.2.10.3.1.4 Technical Capabilities of the Networx contracts.

VSS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

C.2.4.1 Internet Protocol Service (IPS). C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS). C.2.7.3 Network-based IP VPN Services (NBIP-VPNS).

Each Networx contractor may provide variations or alternatives to the offering and pricing for VSS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VSS.

For more information on the general VSS specifications and requirements, please refer to Section C.2.10.3 of the Networx contract for technical specifications and Section B.2.10.3 for pricing.

VSS Price Basics

VSS provides external and internal vulnerability assessments of the Agency's networking environment. The service mitigates security holes and flaws before they are exploited. VSS provides the following pricing options:

• Unlimited Scans consist of unlimited scans within a month for a predetermined number of IP addresses. The NRC includes the design, implementation, and configuration of VSS. The MRC comprises the management and ongoing scanning/monitoring support.
• Usage consists of a predefined number of scans to be distributed over any IP addresses as defined by the Agency at the time the scan is conducted. A scan comprises one scan of one IP address one time.

VSS builds on the FTS2001 contracts offerings.

Price components required for service are:

• Underlying transport services, such as IPS to provide connectivity
• Basic service (NRC and/or MRC) consisting of either:
  • VSS Unlimited Scans (NRC + MRC per IP address or per block of IP address)
  • VSS Usage (NRC per scan or per block of scans)
• VSS Application Programming Interface feature ordered as needed by the Agency
• Service Enabling Devices (SEDs) may be required to implement VSS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

• Transport: Choose Networx telecommunications services such as IPS
• Unlimited Scans NRC: Choose CLIN 350002 (Unlimited Scans for 10 specified IP addresses NRC per block of 10 IP addresses)
• Unlimited Scans MRC: Choose CLIN 350102 (Unlimited Scans for 10 specified IP addresses MRC per block of 10 IP addresses)
• SEDs may be required to implement VSS. Illustrative hardware is not provided as part of the VSS.

Each Networx contractor may provide variations or alternatives to the offering and pricing for VSS. The specific details can be found within each Contractor's Networx contract files and pricing notes for VSS.

For more information on the general VSS specifications and requirements, please refer to Section C.2.10.3 of the Networx contract for technical specifications and Section B.2.10.3 for pricing.

WCS Technical Summary

WCS enable agencies to enhance traditional conferencing by allowing remote participants to interactively collaborate to share information, documents, and applications over the Internet with a commercially available web browser. The scope of collaboration is wide and allows the participants real-time interactive collaboration in a private and secure WCS session for activities such as Sharing Presentations/Documents, File Transfers, Polling, Online Surveys, Voting, Slide Annotation, White Board, and chat - public and private.

WCS is typically used in conjunction with an audio and/or video conference and enables Agencies to provide participants with secure, user friendly and interactive real time collaboration capabilities. Agencies can utilize WCS to effectively disseminate information quickly and easily, reduce the cost of training and educational programs, and permit individuals and groups to participate in activities they otherwise would be unable to attend due to a variety of conflicts.

The figure below shows a typical WCS application.

Networx Web Conference Service

WCS is an application layer service provided over an Internet connection that has no geographic coverage constraints. The service is accessible via a Universal Resource Locator (URL) address and will be compatible with commercially available Internet web browser software packages. WCS will interoperate with the Internet and subscribing Agencies IP network(s). Agency Internet access to WCS is not included as part of the service.

WCS was not offered on the original FTS2001 contracts but some similar conferencing capabilities are covered in other FTS2001 services. WCS will provide point-to-point and multi-point web conferences supported with customized greeting, authentication, password protection and Online Help. WCS will traverse and successfully interoperate with Agency firewalls and security layers.

Capabilities

WCS provides a wide range of Technical Capabilities available to the authorized users and a detailed description of these is covered in the Section C.2.8.3.1 4 of the Networx Contracts. Listed below is a very brief summary of the capabilities provided to the participants.

• Authentication and password protection; a customized greeting (or message) screen, and Online Help.
• Test and verification of the web browser on Participant's computer or Personal Digital Assistant (PDA) to ensure that it is compatible with WCS. The appropriate plug-ins required to deliver WCS to the subscriber will be provided.
• Support for dynamic content, i.e., the ability to use Audio Visual Interleave (AVI's) files, flash, animated gif, and dynamic html pages.
• Conference Request on demand, via scheduled reservation with a single point of contact, within 30 minutes prior to the requested conference time.
• Scheduling or cancelling one or more web conferences, within at least one year in advance, either as a single event or recurring event on a daily, weekly, monthly, or other periodic basis.
• E-mail notification with a meeting invitation and RSVP to conference participants.
• Ability to extend the scheduled conference time and to add participants as requested.
• Capacity to support at least 31 simultaneous participants in an individual web conference.
• Immediate response to an operator request for assistance to resolve any technical or WCS service issues or problems.
• Ability for the participants to view the name list of other participants attending the WCS.
• Ability for the conference leader to control and share a remote participant's desktop application.
• Group web surfing ability for the conference leader to enable him to guide and navigate WCS participants to a web page.
• Ability for multiple Presenters on a WCS meeting or event.
• Ability for the conference leader to lock and unlock access to the meeting. When the meeting is locked, no additional participants can join the active conference. [Optional]
• Ability for conference leaders to print the presentation used during the WCS or save it to a file. Participants shall have the same capability if permitted by the conference leader.

Features

WCS also provides service features listed below and described in the Networx Contracts Section C.2.8.3.2.1 Toll-Free Service Features:

• Streaming Audio - Ability to deliver one way audio synchronized with any data portions of the web conference.
• Streaming Video - Ability to deliver one way video synchronized with any data portions of the web conference.
• Web Based Presentation Replay - Ability to replay (or playback) web based presentations. The replay shall be available for a minimum of 30 days after the initial conference with options for extending the period.

Each Networx contractor may provide variations or alternatives to the offering and pricing for WCS. The specific details can be found within each Contractors Networx contract files and pricing notes for WCS.

For more information on the general WCS specifications and requirements, please refer to Section C.2.8.3 of the Networx contract for technical specifications and Section B.2.8.3 for pricing.

WCS Price Basics

WCS enables real time collaboration between participants using a commercially available web browser and is typically used in conjunction with an audio or video connection. WCS provides the following pricing options:

• A usage charge per minute per port
• A subscription service consisting of a Monthly Recurring Charge (MRC) per subscription with a set number of participants (5,10,20, or 30 participants)

Underlying transport services (i.e. VS for audio, IPS for Internet connection) to provide connectivity are separately priced. Audio Conferencing Service (ACS) and Video Teleconferencing Service (VTS) may also be required for audio and video conferencing and are separately priced.

WCS was not offered on the original FTS2001 contracts but some similar conferencing capabilities are covered in other FTS2001 services.

Price components required for WCS Usage:
• Underlying transport services, such as IPS or VS, to provide connectivity (Audio Conferencing Service (ACS) and Video Teleconferencing Service (VTS) may also be required for audio and video conferencing)
• Basic service (usage charges per minute per port)
• Features ordered as needed by the Agency:
  • Streaming audio
  • Streaming video
• Web Based Presentation Replay
• Service Enabling Devices (SEDs) may be required to implement WCS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]