PCI DSS Compliance Technical Support

Solicitation / RFP / RFQ

This document provides instructions, requirements, conditions, and notices to contractors for a solicitation. The requirement is funded by Air Force Morale, Welfare, and Recreation (MWR) programs, not appropriated funds. The government intends to award all phases to a single vendor, with Phase 2 and 3 execution contingent on results and funding.

• Contractors must submit quotes in Adobe PDF format via email.

• Quotes must include specific electronic files: Contractor's Statement Work (CSOW)/Technical Solution, Supplies, Services and Prices (Pricing), Deliveries or Performances (Delivery Schedule), NAF Standard Clauses confirmation, Contract Documentation (company background, executive summary, exceptions), Contractor Past Performance Information (PPI), Subcontractor/Teaming Partner Consent Letters, and Subcontractor/Teaming Partner PPI.

• All submissions must be in English.

• Quotes must be clear, detailed, and provide convincing rationale for meeting requirements. Ambiguous responses are unacceptable.

• Contractors must identify and provide rationale for any exceptions to solicitation terms and conditions.

• The quote validity period must be at least 180 calendar days from the closing date.

• The contract will include the entire agreement; oral or written representations not in the contract are not binding.

• Quotes are due via email to specified addresses.

• Marketing and informational material will not be evaluated and counts towards page limits.

• Failure to submit required documents may result in rejection.

• Evaluation will be based on Technical Solution/CSOW and Past Performance (LPTA - Lowest Price Technically Acceptable).

• Prime Contractors must provide proof of required certification within 10 calendar days of award.

• Not explicitly stated in this document, but funding is from MWR programs.

• This document outlines the structure and content for four files: Contract Documentation, Pricing, Technical Solution/CSOW, and Past Performance.

• Specific page limits and formatting requirements are detailed, including font type, size, and margins.

• The NAFI (presumably the contracting entity) will not be liable for costs incurred by contractors in submitting quotes.

Solicitation / RFP / RFQ

This document outlines the evaluation factors for the "PCI Compliance Technical Support & Sustainment Services" opportunity, which will be awarded using a Lowest Price Technically Acceptable (LPTA) basis. The Nonappropriated Fund Instrumentality (NAFI) intends to award one contract.

• The Contractor Statement of Work (CSOW) will be incorporated into the contract and must include a narrative addressing each paragraph in the Statement of Objectives (SOO) (Paragraphs 3-6.12), demonstrating the contractor's understanding and fulfillment of requirements.

• Quote validity period must be at least 180 calendar days from the closing date of the solicitation.

• The contract type is not explicitly stated, but the award will be made on an LPTA basis.

• Quotes are intended to be evaluated without discussions, so initial quotes should contain the contractor's best terms.

• The government reserves the right to award all, some, or none of the deliverables.

• The NAFI may require an oral presentation or interview from the LPTA-deemed contractor, with at least three (3) days' advance notice.

• Evaluation will be based on three factors:

  • FACTOR 1: Contractor Statement of Work (CSOW)/Technical Solution (Acceptable/Unacceptable)
  • FACTOR 2: Past Performance (Acceptable/Unacceptable)
  • FACTOR 3: Cost/Price

• Quotes will be evaluated for cost/price realism, balance, and reasonableness. Unrealistically low or high prices, or materially unbalanced pricing, can lead to elimination.

• The contractor will submit firm-fixed pricing. Travel costs are not included in the Total Price and will be paid separately per Federal Travel Regulation.

• Not specified in this document.

• Additional details regarding Past Performance Information (PPI) can be found in ATCH 10 and ATCH 11 (for subcontractor/teaming partners).

Form / Attachment / Pricing Sheet

This document, "Special Provisions," outlines specific terms and conditions that will govern the contract. It details the authority for contract changes, supervision and control, contract type and term, options to extend, price adjustments, and various clauses related to privacy, security, data stewardship, information disclosure, and communication.

• Contracting Officer's Authority: Only the Contracting Officer can approve changes.
• Type and Term: A Firm Fixed Price contract with a one (1) year base period and four (4) one (1) year options (total potential of five (5) years).
• Price Adjustments: Requests for price increases require written justification and Contracting Officer approval.
• Privacy Act: Contractor must comply with the Privacy Act of 1974 regarding systems of records on individuals.
• Section 508: All information and communication technology must meet accessibility standards.
• Data Stewardship: Software, database schemes, and documentation must be placed in escrow.
• Disclosure of Information: Unclassified information cannot be released without prior written approval.
• Communication: All issues and questions must be directed solely to the Contracting Officer.

This document is crucial for understanding the contractual framework, including how changes will be managed, the contract duration, conditions for price adjustments, and specific compliance requirements related to privacy, security, data handling, and communication protocols. Bidders should pay close attention to these provisions when preparing their proposals and understanding their potential obligations.

Form / Attachment / Pricing Sheet

This document, "NONAPPROPRIATED FUND STANDARD CLAUSES," outlines the standard terms and conditions that will be incorporated into a contract with a Nonappropriated Fund Instrumentality (NAFI). It serves as a foundational document detailing the legal, contractual, and operational framework for the agreement.

• Definitions: Clarifies key terms such as Contract, Contracting Officer, Contractor, COR, Day, and NAFI.
• Legal Status: Establishes the NAFI as an integral part of the Department of Defense and an instrumentality of the U.S. Government, noting that no appropriated funds will be paid to the Contractor.
• Claims, Protests & Appeals: Details the procedures for resolving disputes, noting that the contract is not subject to the Contract Disputes Act of 1978, but rather to specific NAFI procedures (IAW DoDI 4105.67 and DAFMAN 64-119).
• Representations: States that the written contract is the entire agreement and that oral representations are not binding.
• Insurance: Requires the Contractor to maintain specific insurance coverage.
• Procurement Integrity: Outlines certifications regarding ethical conduct and avoidance of conflicts of interest.
• Termination Clauses: Includes provisions for termination for convenience and termination for cause.
• Changes Clause: Allows the Contracting Officer to make changes within the general scope of the contract.
• Social Responsibility & Labor Standards: Addresses Combating Trafficking in Persons (CTIP), labor laws, work hours, compensation, benefits, and workplace safety.
• Inspection and Acceptance: Defines the process for inspection and acceptance of supplies and services.
• Taxes: Clarifies how taxes are handled within the contract price.
• Invoices: Specifies requirements for proper invoice submission for payment.
• Governing Law: States that the contract will be construed in accordance with Federal laws of the United States.
• Sustainability: Encourages environmentally sustainable practices.
• Prohibitions: Includes clauses related to covered telecommunications equipment, child labor, and PFOS/PFOA.

This document is crucial for potential bidders as it defines the fundamental contractual obligations, rights, and responsibilities for any contract awarded with a NAFI. Understanding these standard clauses is essential for accurately assessing the risks, requirements, and overall feasibility of bidding on an opportunity. It outlines critical aspects such as dispute resolution, termination conditions, labor standards, and compliance requirements that will govern the performance of the contract.

Statement of Objectives (SOO)

This SOO aims to achieve a proactive, centrally-governed security posture for the Air Force Services Center (AFSVC) to ensure long-term, verifiable Payment Card Industry Data Security Standard (PCI DSS) compliance. It seeks to provide AFSVC with full visibility into the cardholder data environment and empower local personnel for self-sufficient operation.

The contractor will provide expert technical support and sustainment for PCI DSS compliance. Key tasks include:

• Enterprise Security Suite Implementation: Deploying and integrating advanced security tools (SIEM, DLP, MFA) within the Cardholder Data Environment (CDE) to establish a centralized reporting capability.
• Targeted Technical Support and Sustainment: Providing hands-on support to installations lacking local IT expertise for vulnerability management, incident response, and operation of new enterprise tools. This includes training local staff and developing Standard Operating Procedures (SOPs) and Operating Instructions (OIs) for long-term self-sufficiency.
• Phase 1: Conduct a technical gap analysis and develop a solution strategy, including recommendations for a tool suite, integration into a reporting framework, cost analysis, and an implementation plan with a target completion of August 2026.
• Phase 2: Support the deployment and integration of security tools and services, validate implemented controls, and provide gap analysis remediation.
• Phase 3 (and Option Years): Provide steady-state daily operations and flexible surge support for up to 30 installations, including monitoring, SOP development, 24/7 support, PCI DSS assessment preparation, and knowledge transfer/training.

12 months from contract award, with additional option years considered.

• Minimum of five (5) years of hands-on experience in cybersecurity.
• Ability to obtain and maintain a Tier 1 security clearance.
• Relevant cybersecurity certifications (e.g., CISSP, CompTIA Security+).
• Experience in vulnerability management, networking, SIEM, operating systems, authentication, system architecture, and cloud security.
• Preferred: Experience with DAF/DoW IT environments.

Deliverables include a Technical Tool Gap Analysis and Solution Strategy report, a Solution Implementation Strategy document, system documentation (configuration guides, SOPs), various reports (weekly status, monthly progress, quarterly quality management, remediation, verification, compliance, incident response), and training materials.

Primary location is 3515 South General McMullen Bldg. 1, San Antonio, TX 78236-9854. Remote work is authorized for the majority of the contract, with potential for in-office work as needed.

Statement of Work (SOW) / Performance Work Statement (PWS)

This document outlines the "Deliveries or Performances" for the Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Technical Support Team. The primary objective is to provide technical support and services to ensure compliance with PCI DSS requirements.

The scope of work is divided into three phases (Phase One, Phase Two, and Option Years One through Four) and includes a variety of tasks and deliverables, categorized by CLIN (Contract Line Item Number).

Key areas of work include:

• Gap Analysis and Solution Recommendations: Assessing the Cardholder Data Environment (CDE) to identify security gaps and recommend tools and services for a complete enterprise security suite.

• System Deployment: Installing, configuring, and integrating security tools and services into the existing CDE infrastructure.

• Testing and Validation: Developing and executing test plans to validate control effectiveness, conducting scanning and penetration testing, and verifying remediation measures.

• Support Services: Providing 24/7 support, including incident response, vulnerability management, and ongoing monitoring.

• Compliance Attestation and Reporting: Assisting with PCI DSS assessments, gathering evidence, preparing for audits, and delivering compliance reports.

• Training: Developing training materials and conducting "Train-the-Trainer" programs and ongoing training for personnel.

• Project Management: Developing and maintaining a project management plan, including scope, timelines, resources, and communication protocols.

• Reporting: Providing weekly status reports, monthly progress and financial reports, quarterly compliance reports, and meeting summaries.

• Deliverables are scheduled based on the contract award date.

• Specific reporting requirements include weekly status reports, monthly progress and financial reports, and quarterly compliance reports.

• Incident response requires reporting to AFSVC within one hour of initial awareness.

• Offerors must include standard commercial Service Level Agreements (SLAs) defining response and resolution time targets for various severity incidents.

• The period of performance is twelve months after receipt of award, with potential for option years.

• Deliverables are to be made according to a specified schedule, with specific dates and timeframes provided for each CLIN.

• All deliverables will be delivered to and approved by the Contracting Officer Representative (COR).

• Collaboration with the Government's designated QSA firm is required, but the contractor shall not perform QSA functions.

• Prioritization of modern, automated, and cloud-based tools and services is expected.

• Cost-efficient staffing models, including 'on-call' support, are preferred for 24/7 support services.

• Contractor must annotate if any deliverable timelines are concurrent with other deliverables.

• Performance time computation begins with the actual date of award.

Questions & Answers / Clarifications

This document provides responses to vendor questions regarding the PCI DSS Compliance Technical Support & Sustainment (AF Installations) opportunity, dated March 19, 2026.

• Vulnerability Management: The contractor is responsible for critical oversight, analysis, remediation guidance, and hands-on technical support for the vulnerability lifecycle, including monitoring and remediation, not operating the testing tools themselves.
• Managed Model: AFSVC is not open to a fully vendor-managed model for remote security operations (SOC, SIEM); the SOO outlines a collaborative model to empower local staff.
• On-site Support: Hands-on support is expected at approximately 20-30 of 104 locations. Travel is as-needed for physical audits; permanent local staff are not required.
• Security Clearance: Tier 1 clearance is sufficient for most unclassified work. Personnel will not be assigned duties requiring IAT-II or IAT-III, or "Limited Privileged Access" to NAFI applications or networks.
• CUI/CMMC: The vendor will handle CUI and require training. CMMC certification is not explicitly required by the SOO.
• Asset Management: The objective is a "proactive, centrally-governed security posture," indicating assets are not currently all centrally managed. Gaps in security tools and on-site support prevent proactive, centrally managed defense.
• Legacy Systems: Any in-scope legacy or end-of-life systems will be upgraded by August 2026. Many are scoped out using P2PE terminals.
• External Assets: External assets are out of scope for this SOO, though penetration testing is being conducted.
• Fee Arrangement: The contract will be fixed fee, based on deliverables.
• Cloud Workloads: Cloud workloads are in scope, with required expertise in AWS, Azure, and GCP.
• Standardization: Standardization is underway, moving from a decentralized to a centralized approach. An enterprise tool suite solution is requested where applicable.
• QSA Collaboration: The Government is engaged with a QSA firm, and the contractor is expected to collaborate to develop and execute a forward-looking strategy.
• Incident Response: The contractor is responsible for "hands-on technical support for ongoing...incident response," including containment, eradication, and recovery.
• Clearance Sponsorship: All clearances will be sponsored by the Government upon contract award.
• Transaction Volume: Over 13 million annual payment card transactions are processed.
• CDE Segmentation: The Cardholder Data Environment (CDE) is segmented from the rest of the corporate network.
• POS Terminals: Physical POS terminals are in use and in the process of full PCI validation.
• MOTO: Calls are not recorded for phone orders.
• Network Diagram: An up-to-date standardized network diagram exists.
• IT/Security Management: The SOO implies a mixed environment, with specialized on-site IT support required at many locations.
• PCI DSS Validation: AFSVC NAFI is a Level 1 Merchant undergoing a SAQ-D assessment.
• Location Types: Locations are DAF NAFI enterprise services programs (food, fitness, childcare, lodging, recreation).
• OCONUS Personnel: Non-US persons are not acceptable for OCONUS locations; Green Card holders must have held the card for three years.
• CLINs: A list of CLINs and descriptions will be provided in the RFQ.
• SOO Relationship: This SOO does not replace the January PCI DSS Audit Readiness SOO; they are separate and intended to work together.

These clarifications provide detailed information on technical requirements, operational models, personnel qualifications, and specific scope elements, which will be critical for bidders in developing their proposals. Key deadlines and submission requirements are not explicitly altered by these Q&As, but the scope and nature of the required support are further defined.

Form / Attachment / Pricing Sheet

This document, "ATCH 05 SUPPLIES SERVICES AND PRICES," details the specific line items (CLINs) for services and associated pricing for PCI Compliance Technical Support & Sustainment Services. It outlines the scope of work for each CLIN across multiple phases and option years, serving as a pricing schedule for potential bidders.

• Phased Approach: The services are broken down into "Phase One (1)", "Phase Two (2)", "Phase Three (3)", "Option Year One (1)", "Option Year Two (2)", "Option Year Three (3)", and "Option Year Four (4)".
• Line Item Numbers (CLINs): Each distinct service or deliverable is assigned a CLIN (e.g., CLIN 0001, CLIN 1001, CLIN 2001, etc.).
• Description of Services: Each CLIN includes a detailed description of the tasks, analysis, reports, support, or training to be provided. These primarily focus on PCI DSS compliance, gap analysis, system deployment, remediation, scanning, penetration testing, incident response, training, and project management.
• Unit and Total Price: Columns are provided for "Unit" (e.g., SV for Services) and "Total Price," indicating where pricing information is to be entered or has been provided.
• Travel: Specific provisions for travel costs are included, noting that travel will be provided by the Contractor when requested by the Contracting Officer (CO) or Contracting Officer's Representative (COR) and will be paid in accordance with the Federal Travel Regulation (FTR).

This document is critical for bidders as it defines the specific services required and provides the structure for submitting pricing. Bidders must carefully review each CLIN to understand the full scope of work and to accurately price their proposals. The breakdown by phase and option year allows for a clear understanding of the contract's potential duration and phased requirements. The inclusion of travel cost details is also important for comprehensive bid preparation.

Form / Attachment / Pricing Sheet

This document, titled "Contract Administration Data," provides essential information regarding the administration of a contract, including points of contact, invoicing procedures, payment methods, and contract payment schedules. It is intended to guide contractors on how contractual matters will be handled.

• Contractual Information: Contact details for the Contracting Officer (Ms. Valerie Baltimore) and Contract Specialist (Ms. Whitney Ward) for interpretation and assistance.
• Invoices: Payment will be made according to agreed-upon terms, identified in the Purchase Order block 10.
• Method of Payment: Payment will be processed via NAF Purchase Card (Visa).
• Contract Payment Schedule: Details how payments for Phase 1, Phases 2 & 3, and option years will be calculated and submitted monthly.
• Contracting Officer's Representative (COR): Information on how the COR and Alternate will be provided at the time of award, with placeholders for their specific details.

This document is crucial for bidders to understand the administrative and financial processes associated with the contract. It outlines who to contact for contractual issues, how invoices will be processed and paid, and the payment schedule, which are all important considerations for proposal development and contract execution.

Form / Attachment / Pricing Sheet

This document, "Reps and Certs," contains standard representations, certifications, and other statements required from offerors or quoters as part of their submission. It ensures compliance with various federal regulations and policies.

• Type of Business Organization: Requires the offeror to specify its business structure (e.g., corporation, partnership, individual).
• Certificate of Independent Price Determination: Certifies that prices were determined independently and not shared with competitors.
• Buy American - Trade Agreements - Balance of Payments Program Certificate: Requires certification regarding the origin of end products and components, impacting evaluation preferences.
• Payment Address: Specifies where payments should be made.
• Acknowledgement of Amendments: A section for offerors to acknowledge receipt of any amendments to the solicitation.
• Authorized Negotiators: Lists individuals authorized to negotiate on behalf of the offeror.
• Certification Regarding Debarment, Suspension, Proposed Debarment, and Other Responsibility Matters: Certifies the offeror's and its principals' eligibility and lack of debarment or suspension.
• Taxpayer Identification (TIN): Requires the offeror's Taxpayer Identification Number and corporate status.

Completion and submission of this document are mandatory for all offerors. It directly impacts the evaluation of proposals, particularly concerning price determination and the origin of goods. Failure to provide accurate and complete information may affect an offeror's responsibility determination and the potential award of a contract.

Form / Attachment / Pricing Sheet

This document, titled "Contractor Past Performance Information (PPI)," is a form that bidders must complete to provide information about their past performance on similar projects. It is intended to help the government evaluate a bidder's capability to perform the work required for the opportunity.

Bidders are required to fill out one worksheet for each reference, with a minimum of three references. Each reference entry requires the following information:

• Reference Company/Division Name
• Reference Company Physical and Mailing Address
• Reference Company Contact (POC) details (Name & Title, Phone Number, Email)
• Program/Project title for similar projects completed within the last five (5) years
• Contract number/solicitation number (if applicable)
• Description of the contract/project effort, including magnitude and complexity compared to current requirements
• Type of contract/project (e.g., Firm Fixed Price, Time and Materials, Cost Plus)
• Period of performance (original vs. current/actual schedule)
• Number and primary causes of project scope or requirements changes
• Contract dollar value (original vs. current/actual value at completion)
• Current or actual completion date, or percentage of completion if ongoing
• Role(s) of any sub-contractors and their contact information (Name/Title, Affiliation, Business Address, Telephone & Fax Numbers)

This form is crucial for bidders to demonstrate their relevant experience and successful project execution. Accurate and complete submission of past performance information is essential for the evaluation of proposals. Bidders must ensure they have at least three relevant references and provide detailed information as requested.

Form / Attachment / Pricing Sheet

This document, "Subcontractor/Teaming Partner Past Performance Information (PPI)," is a form designed to collect detailed information about past performance for subcontractors or teaming partners. It requires a minimum of three references per subcontractor/teaming partner.

• Submitting Reference Information: Name, physical and mailing address, and contact person (POC) details (Name & Title, Phone Number, Email) for the reference company/division.
• Project Details: Program/Project title, contract/solicitation number, description of effort (including magnitude and complexity relative to current project requirements), contract type, and period of performance (original and current/actual schedules).
• Contract Performance: Information on scope or requirements changes (number of changes, primary causes), contract dollar value (original and current/actual), and completion status (date or percentage).
• Team Member Roles: Specification of roles for any subcontractors involved in the referenced project, including their name, title, affiliation, business address, and telephone/fax numbers.

This form is crucial for bidders who intend to use subcontractors or teaming partners. It requires them to gather and submit comprehensive past performance data for these partners, which will likely be a significant factor in the overall evaluation of the bid. Bidders must ensure they collect all required details accurately and completely for each reference provided.

Form / Attachment / Pricing Sheet

This document is a "SAMPLE SUBCONTRACTOR/TEAMING PARTNER CONSENT LETTER FOR THE RELEASE OF PAST PERFORMANCE INFORMATION TO THE PRIME CONTRACTOR." It serves as a consent form for subcontractors or teaming partners to allow their past performance information to be discussed with the prime contractor during the source selection process.

• Identifies the participating entity as a "subcontractor" or "teaming partner."
• Requires the name of the prime contractor or entity providing the quote.
• References the specific Request for Quote (RFQ) number: F41999-26-Q-0055 for "Payment Card Industry Data Security Standard Compliance Technical Support Team."
• Acknowledges the emphasis on past performance for best value source selections.
• Requires a signature, title, and date from an authorized individual.

Prime contractors may require their potential subcontractors or teaming partners to complete and submit this form as part of their proposal. It indicates that the subcontractor/teaming partner agrees to have their past performance information shared with the prime contractor for evaluation purposes within the context of this specific RFQ.

Questions & Answers / Clarifications

This document provides responses to vendor questions regarding the PCI DSS Compliance Technical Support and Sustainment opportunity. It clarifies aspects of the Statement of Objectives (SOO) related to scanning, segmentation, tools, procurement, support models, and in-scope installations.

• Scanning: The government is performing internal/external network scans and penetration testing. The acquired tooling is for asset discovery, inventory, and vulnerability assessment. The contractor's role is oversight, analysis, and remediation guidance, not operating the testing tools.
• Segmentation: The contractor will recommend segmentation improvements and validate segmentation evidence/remediation, while implementation remains with local IT or other parties.
• Tools Scope: The tools requirement applies enterprise-wide to all PCI in-scope systems, not just the Cardholder Data Environment (CDE).
• Procurement: The government (AFSVC) will procure all necessary software, hardware, and licensing. The contractor will be responsible for implementation (or guidance), configuration, and management of these government-furnished tools.
• Support Model: "24/7 support" is comprehensive, covering all operational security functions. Incidents (suspected, not confirmed) must be reported within one hour of identification, regardless of the detection source.
• In-scope Installations: Installations are determined by a risk-based assessment focusing on IT support availability, skill gaps, or geographic isolation. A list will be provided upon contract award.
• Access: The contractor team will provide expert, hands-on guidance and remediation support, while designated government personnel will execute privileged actions.

The Q&A clarifies the scope and execution of the requirement, impacting how vendors should structure their technical solutions and pricing. The government notes this is a competitive Lowest Price Technically Acceptable (LPTA) RFQ, with price as the most important factor for technically acceptable contractors. The government is open to suggestions if Firm-Fixed Price (FFP) is not beneficial in certain areas. An updated SOO is referenced in response to a question about deliverables and proposal requirements.

Solicitation / RFP / RFQ

This document is a Request for Quotations (RFQ) for PCI DSS Compliance Technical Support & Sustainment Services. The government is seeking quotations for these services.

The primary service requested is "PCI DSS Compliance Technical Support & Sustainment Services". This is detailed in various attached documents.

• Delivery By: 31 May 2027

• Delivery Terms: FOB Destination or FOB Origin (to be determined by quoter)

• Submission Deadline: Close of Business on 30 Apr 2026.

• Submission Instructions: Furnish quotations to the issuing office (AFSVC/VPЕВ, 2261 Hughes Avenue, Suite 156, JBSA Lackland, TX 78236-9854).

• Evaluation: Evaluation Factors are detailed in ATCH06.

This is a Nonappropriated Fund Request.

This RFQ includes numerous attachments detailing specific requirements, clauses, and instructions for bidders. Key attachments include:

• ATCH01: Instructions to Contractors
• ATCH04: SOO - PCI Tools Technical IT Support
• ATCH06: Evaluation Factors - LPTA
• ATCH13 & ATCH14: Q&A documents related to Pre-Solicitation Notification.