Payment Card Industry Data Security Standards Audit Readiness.

Other / Unclassified

This document, "Special Provisions," outlines key contractual terms and conditions for a potential contract. It details the Contracting Officer's sole authority for changes, clarifies that the NAFI will not supervise contractor employees, and specifies the contract type as Firm Fixed Price with a base period and four one-year options, totaling a potential five-year term.

• Contract Type: Firm Fixed Price.
• Term: One (1) base year with four (4) one-year options (total potential 5 years).
• Contracting Officer Authority: Only the Contracting Officer can approve changes; unauthorized changes will not be paid.
• Supervision: The NAFI will not supervise contractor employees; employees report to the Contractor.
• Price Adjustments: Fixed prices are standard, but increases may be requested due to substantial, unanticipated cost increases, requiring a written request with justification and Contracting Officer approval.
• Privacy Act: Contractors must comply with the Privacy Act of 1974 for any system of records on individuals developed or operated under the contract. This includes including the Privacy Act notification in subcontracts.
• Security Safeguards: Contractors must not disclose safeguards without written consent and must allow government access for inspections.
• Section 508: All procured Information and Communication Technology (ICT) must meet accessibility standards.
• Data Stewardship: Software, database schema, and documentation must be placed in escrow and updated. Data must remain accessible at the end of the contract.
• Disclosure of Information: Contractors must obtain written approval before releasing unclassified information related to the contract, unless it's public domain or fundamental research.
• Communication: All issues and questions regarding delivery, scope, or price must be directed solely to the Contracting Officer.

Form / Attachment / Pricing Sheet

This document, "Subcontractor/Teaming Partner Past Performance Information (PPI)," is a form designed to collect detailed past performance data for subcontractors or teaming partners. Bidders are required to fill out one worksheet for each reference, with a minimum of three references needed.

• Submitting Reference Information: Details about the subcontractor/teaming partner providing the reference.
• Reference Company Details: Name, address, and contact information (Name, Title, Phone, Email) for the company providing the reference.
• Project Details: Program/Project title, contract/solicitation number, description of effort (including magnitude and complexity relative to the current opportunity), contract type, and period of performance (original and actual).
• Contract Changes: Information on the number of changes to the project scope or requirements, and the primary causes for these changes.
• Contract Value: Original and current/actual contract dollar value.
• Completion Status: Current or actual completion date, or percentage of completion if not yet finished.
• Subcontractor Roles: Details on any subcontractors involved in the referenced project, including their roles and contact information.

This form is crucial for bidders to document the past performance of their proposed subcontractors or teaming partners. The information collected will likely be used by the government to evaluate the capability and reliability of the proposed team members in fulfilling the requirements of the primary opportunity.

Form / Attachment / Pricing Sheet

This document is a sample consent letter for a subcontractor or teaming partner to authorize the release of their past performance information to the prime contractor. This is required for the Air Force Services Center's Request for Quote (RFQ) for Payment Card Industry Data Security Standard Audit Readiness, RFQ number F41999-26-Q-0007.

• Identifies the participating entity as a subcontractor or teaming partner.
• Specifies the prime contractor or quoting entity.
• References the specific RFQ and its subject.
• States the purpose is to allow discussion of past performance information for the source selection process.
• Requires signature and title of an authorized individual and the date.

Subcontractors or teaming partners responding to this RFQ must complete and submit this consent letter to allow their past performance to be considered in the evaluation process.

Form / Attachment / Pricing Sheet

This document, titled "REPRESENTATIONS, CERTIFICATIONS, AND OTHER STATEMENTS OF OFFERORS OR QUOTERS," is a form that potential bidders must complete and submit as part of their offer. It collects essential information about the offeror's business organization, pricing practices, compliance with the Buy American Act and Trade Agreements Act, payment address, acknowledgment of amendments, authorized negotiators, and certifications regarding debarment, suspension, and proposed debarment, as well as taxpayer identification.

• Type of Business Organization: Requires selection of the offeror's legal structure (corporation, partnership, individual, etc.).
• Certificate of Independent Price Determination: Certifies that prices were determined independently and without collusion.
• Buy American - Trade Agreements - Balance of Payments Program Certificate: Requires certification regarding the origin of end products and components, with provisions for excluded end products.
• Payment Address: Specifies where payments should be sent.
• Acknowledgement of Amendments: A section to acknowledge receipt of any amendments to the solicitation.
• Authorized Negotiators: Lists individuals authorized to negotiate on behalf of the offeror.
• Certification Regarding Debarment, Suspension, Proposed Debarment, and Other Responsibility Matters: Certifies the offeror's eligibility and responsibility.
• Taxpayer Identification: Requires the offeror's Taxpayer Identification Number (TIN) and corporate status.

Completion of this form is mandatory for all offerors. It ensures that the government has the necessary information to evaluate the offeror's eligibility, responsibility, and compliance with various federal regulations. Failure to complete this form accurately and thoroughly may result in the offer being deemed non-responsive or the offeror being deemed non-responsible.

Other / Unclassified

This document is a "Current State Assessment" for "PCI" (likely referring to Payment Card Industry compliance or a similar program) within the U.S. Air Force, specifically referencing AFSVC (Air Force Services) and Installations. It outlines six key observations regarding the current state of PCI.

This assessment provides a snapshot of the current status of PCI-related activities. Bidders interested in opportunities related to PCI compliance, governance, process improvement, or enterprise technology strategy within the Air Force may find this document useful for understanding the existing environment, identified challenges, and areas of focus. The "Overall Rating" (indicated by colored dots: green for positive, yellow for areas needing attention) and specific observations highlight areas where improvements or further action may be required, potentially informing proposal development for related solicitations.

• Published PCI Governance Documentation (Green)
• Clarifying Roles & Responsibilities between AFSVC and Installations (Green)
• In-Progress PCI Scope & Evidence Collection (Yellow)
• Maturing Enterprise Tech Deployment Strategy (Green)
• Addressing Manual Processes & Noncompliant Behaviors (Yellow)
• Improving Business Processes (Green)

Form / Attachment / Pricing Sheet

This document is the "Contractor Past Performance Information (PPI)" worksheet, dated December 3, 2025. It is designed for contractors to provide details about their past performance on previous projects. A minimum of three references are required.

• Contractor Submitting Reference: Fields for the contractor's name and contact information.
• Reference Company/Division Name: Name of the company that can provide a reference.
• Reference Company Physical and Mailing Address: Address of the reference company.
• Reference Company Contact (POC): Name, Title, Phone Number, and Email of the point of contact at the reference company.
• Program/Project Title: Title of the similar project completed within the last five years.
• Contract Number/Solicitation Number: The number for the referenced project or program.
• Description of Contract/Project Effort: Details on the magnitude and complexity of the effort.
• Type of Contract/Project: Applicable contract types (e.g., Firm Fixed Price, Time and Materials, Cost Plus).
• Period of Performance: Original and current/actual schedules, number and causes of changes.
• Contract Dollar Value: Original and current/actual values at selection/closing and completion, including number and causes of changes.
• Current or Actual Contract Value: Including all changes and exercised options.
• Current or Actual Completion Date: Or percentage of completion if not complete.
• Sub-contractors: Details on any sub-contractors involved, including their personnel and organizations.

This form is crucial for bidders to document their relevant past performance. It requires detailed information about previous projects, including scope, value, period of performance, and any changes, as well as information about key personnel and subcontractors. This information will likely be used by the government to evaluate the bidder's capability and experience for the current opportunity.

Statement of Objectives (SOO)

This Statement of Objectives (SOO) outlines the need for expert support to achieve and maintain Payment Card Industry Data Security Standard (PCI DSS) compliance for the Air Force Services Center (AFSVC) merchant card processing operations. The primary goal is to enhance security, mitigate risks associated with payment card processing, and optimize business processes.

• PCI DSS Compliance Expertise: Review data and gap assessments, refine PCI DSS scope, identify requirements for an expedited compliance path, and conduct formal audits.

• Business Process Guidance: Guide the development and maturation of end-to-end business systems and processes related to merchant processing, identifying improvement opportunities and assisting with business process development.

• Strategic Planning: Develop strategies, frameworks, tools, and guidance documents for an enterprise PCI compliance program.

• QSA Assessment Readiness: Provide recommendations for security measures, documentation, and reporting to prepare for formal PCI DSS compliance assessments.

• Commercial Expertise: Recommend compliance solutions, tools, technologies, and processes, including areas like process codification, merchant ID management, enterprise data management, and governance.

• Deliverables: Include a Project Plan, Strategic Compliance Roadmap, Risk Assessment, Incident Response & Contingency Planning support, Documentation & Reporting, Gap Analysis, Security Control Implementation & Remediation, Vulnerability Management, Merchant Services Optimization, Audit Support, and Reporting.

• The document does not explicitly state the period of performance, but mentions the formal audit is expected by the end of FY26.

• Place of Performance is primarily at 3515 South General McMullen Bldg. 1, San Antonio, TX 78236-9854. Remote work is authorized for the majority of the contract, with potential for in-office work as agreed.

• Contractor Qualifications: Must be a Certified Qualified Security Assessor (QSA) with experience in DoD/Federal entities and at least five years of experience in establishing enterprise systems for geographically separated enterprises.

• Security: Work is primarily UNCLASSIFIED. Building access requires coordination. Specific training (Cyber Awareness, CUI, Privileged User Cybersecurity) and security clearances may be required. Personnel requiring system access must be adjudicated with a favorable determination and sign a non-disclosure agreement.

• Data: The NAFI will have unlimited rights to technical data. Data generated is owned by the NAFI and must be physically separated.

• Reporting: Weekly progress reports and monthly contract progress reports are required. Kick-off and status meetings will be held.

Solicitation / RFP / RFQ

This document provides instructions, requirements, conditions, and notices to contractors for the "Payment Card Industry Data Security Standard Audit Readiness" opportunity. The requirement is funded by Air Force Morale, Welfare, and Recreation (MWR) programs, not appropriated funds.

• Contractors must submit quotes in Adobe PDF format via secured email.

• Quotes must include:

  • Contractor's Statement Work (CSOW)/Technical Solution
  • Supplies, Services and Prices (Pricing)
  • Deliveries or Performances (Delivery Schedule)
  • NAF Standard Clauses (dated 30 May 2025) with confirmation of acceptance or exceptions.
  • Contract Documentation (company background, executive summary, exceptions, NAF Standard Clauses, special provisions, deliveries/performances, reps and certs).
  • Contractor Past Performance Information (PPI) for the last five (5) years.
  • Subcontractor/Teaming Partner Consent Letters and PPI (if applicable).

• Quotes must demonstrate understanding of the requirements and scope.

• Technical experience and past performance are key evaluation factors.

• The contract type is not explicitly stated, but the document refers to "quotes" and "RFQ", suggesting a competitive procurement.

• Funding is through MWR programs.

• Quotes are due by 2:00 PM, Central Standard Time, on Thursday, 29 January 2026.

• Submission is via secured email to fay.cameron@us.af.mil and valerie.baltimore@us.af.mil. A separate email with the password is required.

• Quotes may be modified or withdrawn by written notice before award.

• Evaluation will be based on technical solution/CSOW and past performance (LPTA - Lowest Price Technically Acceptable).

• Marketing and informational material will not be evaluated and counts towards page limits.

• Failure to submit required documents or meet page limits may result in rejection.

• No specific set-aside information is provided in this document.

• Questions & Answers (ATCH 13) are provided. Additional questions are due by 4:00 PM, Central Standard Time, Monday, 12 January 2025.

• Formatting requirements include page size, font type and size, and line spacing.

• Quote validity period must be at least 180 calendar days from the closing date.

Questions & Answers / Clarifications

This document provides responses to vendor questions regarding a solicitation for Payment Card Industry Data Security Standard (PCI DSS) compliance services for the Air Force Services Center (AFSVC).

• Merchant Classification: Level 1 Merchant status has been validated with Payment Brands; contractors do not need to validate.
• Data Provision: Government will provide data upon contract award, including site assessments, scoping inventories, PCI policies, gap assessments, and remediation roadmaps. A complete inventory of PCI-related system components is underway (55% complete).
• Scope: The entire Nonappropriated Fund Instrumentality (NAFI) Cardholder Data Environment (CDE) is in scope, including all 104 worldwide locations and approximately 2,200+ business activities. A representative sample of sites is required for assessment.
• Implementation: AFSVC is procuring separate technical support contracts for remediation efforts; the awarded contractor will primarily provide advisory and oversight services.
• Timeline: The target for formal audit completion (Report on Compliance - ROC) is by the end of FY2026 (September 30, 2026).
• Contract Type: The solicitation is a competitive Lowest Price Technically Acceptable (LPTA) Request for Quote (RFQ), with a Firm-Fixed Price contract type anticipated.
• Previous Work: This is a follow-on effort to a contract awarded to Accenture Federal Services LLC (PO F41999-25-P-0335).

These clarifications provide significant detail on data availability, scope boundaries, contractor responsibilities for remediation, and the overall project timeline and contract type, which will be crucial for bidders preparing their proposals.

Form / Attachment / Pricing Sheet

This document, titled "CONTRACT ADMINISTRATION DATA," provides essential information regarding the administrative aspects of a contract. It details how contractual matters will be handled, including points of contact, invoicing procedures, payment methods, and the contract payment schedule.

• Contractual Information: Identifies the Contracting Officer (Ms. Valerie Baltimore) and Contract Specialist (Ms. Fay Cameron) for contractual interpretation and assistance, including their contact details.
• Invoices: States that invoices will be paid according to agreed-upon payment terms, which will be specified in the Purchase Order.
• Method of Payment: Specifies that the Air Force Services Center will use a NAF Purchase Card (Visa) for payments.
• Contract Payment Schedule: Outlines that 75% of the contract amount (excluding travel) will be paid over the base period, with the remaining 25% held back until final delivery is received and accepted.
• Contracting Officer's Representative (COR): Refers to Section 6 of the Statement of Objectives for COR responsibilities and indicates that the COR and Alternate will be provided at the time of contract award. Contact information placeholders are included for the COR and Alternate.

This document is crucial for bidders as it clarifies key administrative processes that will be in place once a contract is awarded. Understanding the payment schedule, invoicing procedures, and designated points of contact is essential for managing contract performance and financial aspects.

Solicitation / RFP / RFQ

This document outlines the evaluation factors for the "Payment Card Industry Data Security Standard Audit Readiness" requirement, utilizing a Lowest Price Technically Acceptable (LPTA) approach. The Nonappropriated Fund Instrumentality (NAFI) intends to award one contract.

• The Contractor Statement of Work (CSOW) will be incorporated into the contract and must detail the contractor's understanding of the requirement and how they will fulfill all requirements, including qualifications, technical requirements, and deliverables.

• Contract type: Firm-fixed pricing.

• Quote validity period: At least 120 calendar days from the closing date of the solicitation.

• Travel costs will be paid in accordance with the Federal Travel Regulation (FTR) and will not be included in the initial pricing submission unless requested.

• Quotes will be evaluated without discussions, unless deemed necessary by the Contracting Officer.

• Evaluation Factors:

  • FACTOR 1: Contractor Statement of Work (CSOW)/Technical Solution (Acceptable/Unacceptable)
  • FACTOR 2: Past Performance (Acceptable/Unacceptable)
  • FACTOR 3: Cost/Price

• The NAFI may require an oral presentation or interview as part of the technical evaluation.

• Price will be evaluated for cost/price realism, balance, and reasonableness. Unrealistically low or unreasonably high prices may lead to elimination.

• Not specified in this document.

• References to ATCH 10 - Contractor Past Performance Information (PPI) dated 24 Sep 2025 and ATCH 11 - Subcontractor Teaming Partner PPI dated 24 Sep 2025 for past performance details.

• References ATCH 05 - Supplies, Services and Prices 24 Sep 2025 for pricing schedule.

• Failure to comply with solicitation terms may result in ineligibility for award.

Statement of Work (SOW) / Performance Work Statement (PWS)

This document outlines the "Deliveries or Performances" for the Payment Card Industry (PCI) Data Security Standard (DSS) Audit Readiness opportunity. The primary objective is to ensure the organization's readiness for PCI DSS audits and compliance.

The scope of work is divided into CLINs (Contract Line Item Numbers) and includes a variety of tasks related to PCI DSS compliance, such as:

• Developing a Project Plan and RASCI matrix.
• Refining a Strategic Compliance Roadmap.
• Conducting Risk Assessments and Vulnerability Management.
• Supporting Incident Response and Contingency Planning.
• Reviewing and assessing PCI DSS documentation and compliance for business processes and POS systems.
• Implementing and remediating security controls.
• Optimizing merchant services.
• Providing training and awareness support.
• Assisting with PCI DSS audit preparation and execution.
• Developing a Report on Compliance (ROC) and Audit Findings & Remediation Plan.

The period of performance is twelve months after receipt of award. Specific deliverables have varying timelines, some starting immediately upon contract kickoff and others extending throughout the option years.

• All deliverables must be approved by the Contracting Officer Representative (COR).
• The Contractor must annotate if any deliverable timelines are concurrent.
• Performance time is computed beginning with the actual date of the award.

Form / Attachment / Pricing Sheet

This document, "NONAPPROPRIATED FUND STANDARD CLAUSES," outlines the standard terms and conditions that apply to contracts with Nonappropriated Fund Instrumentalities (NAFIs). It serves as a foundational document for bidders to understand their rights, responsibilities, and the governing regulations for such contracts.

• Definitions: Clarifies key terms such as Contract, Contracting Officer, Contractor, COR, Day, and NAFI.
• Legal Status: Defines NAFI as an integral part of the Department of Defense, not funded by appropriated U.S. funds.
• Claims, Protests & Appeals: Details procedures for resolving disputes, including requirements for written claims, certifications for claims over $100,000, and appeal processes.
• Representations: States that the written contract is the entire agreement and prohibits oral representations from binding the parties.
• Advertisements: Outlines restrictions on contractor advertisements regarding NAFI endorsement.
• Examination of Records: Grants the Contracting Officer the right to audit contractor records.
• Hold and Save Harmless: Requires the contractor to indemnify the NAFI and U.S. entities.
• Insurance: Mandates contractor-provided insurance coverage and specifies requirements for certificates of insurance.
• Procurement Integrity: Certifies that no improper offers, gratuities, or proprietary information will be exchanged.
• Termination Clauses: Covers termination for convenience, cancellation by mutual agreement, and termination for cause, including procedures and contractor liabilities.
• Changes: Outlines the process for the Contracting Officer to make changes to the contract scope and the contractor's right to equitable adjustments.
• Social Responsibility and Labor Standards: Addresses Combating Trafficking in Persons (CTIP), labor laws, work hours, compensation, benefits, and non-discrimination.
• Inspection and Acceptance: Defines the process for inspection and acceptance of supplies and services.
• Commercial Terms and Conditions: States that commercial terms are not inherently enforceable and require bilateral agreement for modifications.
• Taxes: Clarifies how taxes are handled within the contract price.
• Invoices: Specifies requirements for proper invoice submission for payment.
• Law Governing Contracts: Indicates that Federal laws of the United States of America govern the contract.
• Sustainability: Encourages environmentally sustainable practices.
• Proof of Shipment: Details requirements for proof of shipment for payment.
• Variation in Quantity: States that no variation in quantity is accepted without authorization.
• Partial Deliveries: Prohibits partial deliveries unless authorized.
• Payments: Outlines payment procedures and penalties for late payments.
• Discounts for Prompt Payment: Addresses the treatment of prompt payment discounts.
• Notification of Debarment/Suspension Status: Requires contractors to notify the Contracting Officer of debarment or suspension.
• Non Waiver of Defaults: Clarifies that failure to enforce terms does not constitute a waiver.
• Travel Clause: Governs contractor travel arrangements and reimbursement.
• Increasing the Minimum Wage for Federal Contractors: Incorporates Executive Order 14026 regarding minimum wage.
• Establishing Paid Sick Leave for Federal Contractors: Incorporates Executive Order 13706 regarding paid sick leave.
• Representation Regarding Certain Telecommunications and Video Surveillance Services or Equipment: Addresses prohibitions and representations related to covered telecommunications equipment and services.
• Certification Regarding Knowledge of Child Labor for Listed End Products: Requires certification regarding the absence of forced or indentured child labor.
• Prohibition on Procurement of Certain Items Containing PFOS or PFOA: Prohibits procurement of specific items containing PFOS or PFOA.

This document is critical for any bidder responding to an opportunity involving a NAFI. It establishes the legal and contractual framework, outlining essential requirements related to claims, disputes, insurance, labor standards, termination, changes, and other critical aspects of contract performance. Understanding these clauses is vital for accurate proposal preparation, risk assessment, and successful contract execution.

Form / Attachment / Pricing Sheet

This document, "Supplies, Services and Prices," details the specific line items (CLINs) for services related to Payment Card Industry Data Security Standard (PCI DSS) Audit Readiness. It outlines the tasks and deliverables expected from the contractor for the base year and option years.

• CLIN 0001-0005: Initial tasks including Project Plan and RASCI matrix creation, Strategic Compliance Roadmap Refinement, Risk Assessment, Incident Response & Contingency Planning Support, and Documentation & Reporting Support.
• CLIN 0006-0011: Services related to Security Control Implementation & Remediation, Vulnerability Management, Merchant Services Optimization, and Audit Preparation & Execution.
• CLIN 0012-0013: Development of PCI DSS Discovery Reports and Reports on Compliance (ROC).
• CLIN 1001-4003: Services for option years, including Audit Preparation Support, ROC Development, and Project Plan/RASCI matrix creation.
• CLIN 0014: Travel costs, to be provided by the Contractor when requested by the CO or COR, in accordance with Federal Travel Regulation.

This document is crucial for bidders as it defines the specific services and deliverables required for the PCI DSS Audit Readiness opportunity. It breaks down the work into distinct CLINs, providing a clear scope of work for each year of the contract, including option years. Bidders must use this information to understand the full extent of services needed, estimate costs, and structure their proposals accordingly.

Solicitation / RFP / RFQ

This document is a Request for Quotations (RFQ) for "Payment Card Industry Data Security Standard Audit Readiness." The government is seeking quotations for services related to ensuring compliance with PCI DSS standards.

• The primary service requested is "Payment Card Industry Data Security Standard Audit Readiness."

• The RFQ includes numerous attachments detailing specific requirements, clauses, and evaluation factors.

• The RFQ number is F41999-26-Q-0007.

• Delivery is requested by 15 Feb 2027.

• Delivery terms are FOB Destination.

• Quotations must be submitted to the issuing office (AFSVC/VPЕВ) on or before 29 Jan 2026.

• The document references "Evaluation Factors - LPTA 3 Dec 2025.pdf" indicating a Lowest Price Technically Acceptable evaluation method.

• Not explicitly stated in the provided form, but the presence of "NAF Standard Clauses" may indicate specific eligibility or operational contexts.

• This is a Nonappropriated Fund Request.

• Numerous attachments are provided, including:

  • Instructions to Contractors
  • NAF Standard Clauses
  • Special Provisions
  • SOO - PCI DSS Audit Readiness
  • Supplies, Services and Prices
  • Evaluation Factors - LPTA
  • Deliveries or Performances
  • Contract Admin Data
  • Reps and Certs
  • Contractor Past Performance Information
  • Subcontractor Teaming Partner Information
  • Q&A
  • PCI Current State Assessment Executive Summary