Department of Homeland Security
Customs & Border Protection (CBP)
Statement of Work
Google Cloud for INVNT

Contents
General and Scope ...................................................................................................................................... 2
Period and Place of Performance .............................................................................................................. 2
Invoicing and Payment ............................................................................................................................... 3
Points of Contact ......................................................................................... Error! Bookmark not defined.
Clauses .......................................................................................................... Error! Bookmark not defined.

Page 1 of 10

 General and Scope
Google Cloud Platform (GCP) will be utilized for doing innovation projects for C1’s INVNT
team like next generation IoT, NLP (Natural Language Processing), Language Translation and
Andril image camera and any other future looking project for CBP. The GCP has unique product
features which will help to execute on the mission needs.
AI Platform: AI Platform makes it easy for machine learning developers, data scientists, and
data engineers to take their ML projects from ideation to production and deployment, quickly
and cost-effectively. From data engineering to “no lock-in” flexibility, AI Platform’s integrated
tool chain helps you build and run your own machine learning applications.
Enterprise AI/ML on the Edge: Google enables enterprises to deploy, manage and run ML
models on fleets of remote edge devices in a secure manner, while providing cloud services for
data ingestion, device and ML model management.
Embedded AI/ML: Intelligence has been embedded into everything, making it easy for you to
apply Artificial Intelligence and machine learning to revolutionize customer experience. Turn
data into actionable insights with a serverless data analytics and machine learning platform that
surpasses conventional limitations of scale, performance, and cost efficiency.
Edge TPU: Google’s purpose-built ASIC designed to run AI at the edge. It delivers high
performance in a small physical and power footprint, enabling the deployment of high-accuracy
AI at the edge. Edge TPU complements Cloud TPU and Google Cloud services to provide an
end-to-end, cloud-to-edge, hardware and software infrastructure for facilitating the deployment
of customers' AI-based solutions.
Fully managed Cloud IOT Core: Cloud IoT Core is a fully managed service that allows you to
easily and securely connect, manage, and ingest data from millions of globally dispersed devices.
Cloud IoT Core, in combination with other Google Cloud services like AutoML, BigQuery and
Looker provides a complete solution for collecting, processing, analyzing, and visualizing IoT
data in real time to support improved operational efficiency.
Hybrid and Multi-Cloud: Open cloud infrastructure, whether it's on-prem, hybrid, or multicloud. Our managed modern application management platform Anthos, allows your developers
to write a cloud-native application once and then run it on-premises, on Google Cloud, or on
other clouds thereby avoiding vendor lock-in. You can also modernize existing applications
running on virtual machines while deploying cloud-native apps on containers in an increasingly
hybrid and multi-cloud world.
Security: End-to-end security solutions to protect everything from datacenter to device with
purpose-built infrastructure and security by default. The same security technology that supports
Google’s private global network protects your data while meeting rigorous industry-specific
compliance standards. FedRamp High Certification Built on the same future-proof infrastructure
that returns billions of search results in milliseconds, serves 6 billion hours of YouTube video
per month, and provides storage for 1 billion Gmail users. Our infrastructure is protected by
more than 700 experts in information, application, and network security.
Fully Managed NoOps: Google cloud is reliable, constant, and scalable. It automatically scales to
thousands of cores in seconds with up to 35% discounts for sustained use.
Period and Place of Performance
The period of performance shall be one year from date of award. All work will be provided at
contractor facilities.
Page 2 of 10

 Invoicing and Payment
Beginning April 11, 2016, payment requests for all new awards must be submitted electronically
through the U. S. Department of the Treasury's Invoice Processing Platform System (IPP).
Payment terms for existing contracts and orders awarded prior to April 11, 2016 remain the
same. The Contractor must use IPP for contracts and orders awarded April 11, 2016 or later, and
must use the non-IPP invoicing process for those contracts and orders awarded prior to April 11,
2016.
"Payment request" means any request for contract financing payment or invoice payment by the
Contractor. To constitute a proper invoice, the payment request must comply with the
requirements identified in FAR 32.905(b), "Payment documentation and process" and the
applicable Prompt Payment clause included in this contract. The IPP website address is:
https://www.ipp.gov.
The IPP was designed and developed for Contractors to enroll, access and use IPP for submitting
requests for payment. Contractor assistance with enrollment can be obtained by contacting
IPPCustomerSupport@fms.treas.gov or phone (866) 973-3131.
If the Contractor is unable to comply with the requirement to use IPP for submitting invoices for
payment, the Contractor must submit a waiver request in writing to the contracting officer.
National Finance Center:
CBPINVOICES@cbp.dhs.gov
Clauses
Enterprise Architecture Compliance
The Offeror shall ensure that the design conforms to the Department of Homeland Security
(DHS) and Customs and Border Protection (CBP) Enterprise Architecture (EA), the DHS and
CBP Technical Reference Models (TRM), and all DHS and CBP policies and guidelines (such as
the CBP Information Technology Enterprise Principles and the DHS Service Oriented
Architecture - Technical Framework), as promulgated by the DHS and CBP Chief Information
Officers (CIO), Chief Technology Officers (CTO) and Chief Architects (CA).
The Offeror shall conform to the Federal Enterprise Architecture (FEA) model and the DHS and
CBP versions of the FEA model, as described in their respective EAs. All models will be
submitted using Business Process Modeling Notation (BPMN 1.1 or BPMN 2.0 when available)
and the CBP Architectural Modeling Standards. Universal Modeling Language (UML2) may be
used for infrastructure only. Data semantics shall be in conformance with the National
Information Exchange Model (NIEM). Development solutions will also ensure compliance with
the current version of the DHS and CBP target architectures.

Page 3 of 10

 The Offeror shall use DHS/CBP approved products, standards, services, and profiles, as reflected
by the hardware, software, application, and infrastructure components of the DHS/CBP
TRM/standards profile. If new hardware, software, or infrastructure components are required to
develop, test, or implement the program, these products will be coordinated through the DHS
and CBP formal Technology Insertion (TI) process (to include a trade study with no less than
four alternatives, one of which reflecting the status quo and another reflecting multiagency
collaboration). The DHS/CBP TRM/standards profile will be updated as TIs are resolved.
All developed solutions shall be compliant with the Homeland Security (HLS) EA.
All IT hardware and software shall be compliant with the HLS EA.
Compliance with the HLS EA shall be derived from and aligned through the CBP EA.
Description information for all data assets, information exchanges and data standards, whether
adopted or developed, shall be submitted to the Enterprise Data Management Office (EDMO) for
review, approval, and insertion into the DHS Data Reference Model and Enterprise Architecture
Information Repository.
Development of data assets, information exchanges, and data standards will comply with the
DHS Data Management Policy MD 103-01. All data-related artifacts will be developed and
validated according to DHS Data Management Architectural Guidelines.
Applicability of Internet Protocol version 6 (IPv6) to DHS-related components (networks,
infrastructure, and applications) specific to individual acquisitions shall be in accordance with
the DHS EA (per OMB Memorandum M-05-22, August 2, 2005), regardless of whether the
acquisition is for modification, upgrade, or replacement. All EA related component acquisitions
shall be IPv6 compliant, as defined in the USGv6 Profile (NIST Special Publication 500-267)
and the corresponding declarations of conformance, defined in the USGv6 Test Program.
Geospatial
This clause does not apply to this order.
DHS Security Policy Requirement
The following terms and conditions should be included in all acquisition documents.
All hardware, software, and services provided under this task order must be compliant with DHS
4300A DHS Sensitive System Policy and the DHS 4300A Sensitive Systems Handbook.
Encryption Compliance Requirement
The following terms and conditions should be included in all acquisition documents.
1. FIPS 197 (Advanced Encryption Standard (AES)) 256 algorithm and cryptographic
modules that have been validated under FIPS 140-2.
2. National Security Agency (NSA) Type 2 or Type 1 encryption.

Page 4 of 10

 3. Public Key Infrastructure (PKI) (see paragraph 5.5.2.1 of the Department of
Homeland Security (DHS) IT Security Program Handbook (DHS Management
Directive (MD) 4300A) for Sensitive Systems).
Interconnection Security Agreement (ISA)
The following requirements should be included in the acquisition document if the service being
supplied requires a connection to a non-DHS, Contractor system, or DHS system of different
sensitivity.
Interconnection Security Agreement Requirements
Interconnections between DHS and non-DHS IT systems shall be established only through
controlled interfaces and via approved service providers. Connections with other Federal
agencies shall be documented based on interagency agreements; memoranda of understanding,
service level agreements or interconnect service agreements.
Required Protections for DHS Systems Hosted in Non-DHS Data Centers
The following requirements should be included in acquisition documents for information
systems which are hosted, operated, maintained, and used on behalf of DHS at non-DHS
facilities. Contractors are fully responsible and accountable for ensuring compliance with all
Federal Information Security Management Act (FISMA), National Institute of Standards and
Technology (NIST) Federal Information Processing Standard (FIPS) and related DHS security
control requirements (to include configuration guides, hardening guidance, DHS Security Policy,
Procedures, and Architectural guidance). The contractor security procedures shall be the same or
greater than those that are provided by DHS Enterprise Data Center(s). Please note that all of the
subsections from Security Authorization to Log Retention are included in this requirement.
Enterprise Security Architecture
The contractor shall utilize and adhere to the DHS Enterprise Security Architecture in
accordance with applicable laws and DHS policies to the satisfaction of the DHS COTR. Areas
of consideration could include:
1. Use of multi-tier design (separating web, application and data base) with policy
enforcement between tiers
2. Compliance to DHS Identity Credential Access Management (ICAM)
3. Security reporting to DHS central control points (i.e. the DHS Security Operations
Center (SOC) and integration into DHS Security Incident Response
4. Integration into DHS Change Management (for example, the Infrastructure Change
Control Board (ICCB) process)
5. Performance of activities per continuous monitoring requirements
Continuous Monitoring
The contractor shall participate in DHS’ Continuous Monitoring Strategy and methods or shall
provide a Continuous Monitoring capability that the DHS determines acceptable. The DHS
Chief Information Security Officer (CISO) issues annual updates to its Continuous Monitoring
Page 5 of 10

 requirements via the Annual Information Security Performance Plan. At a minimum, the
contractor shall implement the following processes:
1. Asset Management
2. Vulnerability Management
3. Configuration Management
4. Malware Management
5. Log Integration
6. Security Information Event Management (SIEM) Integration
7. Patch Management
8. Providing near-real-time security status information to the DHS SOC
Specific Protections
Specific protections that shall be provided by the contractor include, but are not limited to the
following:
Security Operations
The Contractor shall operate a SOC to provide the security services described below. The
Contractor shall support regular reviews with the DHS Information Security Office to coordinate
and synchronize the security posture of the contractor hosting facility with that of the DHS Data
Centers. The SOC personnel shall provide 24x7x365 staff to monitor the network and all of its
devices. The contractor staff shall also analyze the information generated by the devices for
security events, respond to real-time events, correlate security device events, and perform
continuous monitoring. It is recommended that the contractor staff shall also maintain a trouble
ticket system in which incidents and outages are recorded. In the event of an incident, the
contractor facility SOC shall adhere to the incident response plan.
Computer Incident Response Services
The Contractor shall provide Computer Incident Response Team (CIRT) services. The contractor
shall adhere to the standard Incident Reporting process as determined by the Component and is
defined by a DHS-specific incident response plan that adheres to DHS policy and procedure for
reporting incidents. The contractor shall conduct Incident Response Exercises to ensure all
personnel are familiar with the plan. The contractor shall notify the DHS SOC of any incident in
accordance with the Incident Response Plan and work with DHS throughout the incident
duration.
Firewall Management and Monitoring
The Contractor shall provide firewall management services that include the design,
configuration, implementation, maintenance, and operation of all firewalls within the hosted
DHS infrastructure in accordance with DHS architecture and security policy. The contractor
shall provide all maintenance to include configuration, patching, rule maintenance (add, modify,
delete), and comply with DHS’ configuration management / release management requirements
when changes are required. Firewalls shall operate 24x7x365. Analysis of the firewall logs shall
be reported to DHS COTR in weekly status reports. If an abnormality or anomaly is identified,
Page 6 of 10

 the contractor shall notify the appropriate DHS point of contact in accordance with the incident
response plan.
Intrusion Detection Systems and Monitoring
The Contractor shall provide the design, configuration, implementation, and maintenance of the
sensors and hardware that are required to support the NIDS solution. The contractor is
responsible for creating and maintaining the NIDS rule sets. The NIDS solution should provide
real-time alerts. These alerts and other relevant information shall be located in a central
repository. The NIDS shall operate 24x7x365. A summary of alerts shall be reported to DHS
COTR in weekly status reports. If an abnormality or anomaly is identified, the contractor shall
notify the appropriate DHS point of contact in accordance with the incident response plan.
Physical and Information Security and Monitoring
The Contractor shall provide a facility using appropriate protective measures to provide for
physical security. The facility will be located within the United States and its territories. The
contractor shall maintain a process to control physical access to DHS IT assets. DHS IT Assets
shall be monitored 24x7x365. A summary of unauthorized access attempts shall be reported to
the appropriate DHS security office.
Vulnerability Assessments
The Contractor shall provide all information from any managed device to DHS, as requested,
and shall assist, as needed, to perform periodic vulnerability assessments of the network,
operating systems, and applications to identify vulnerabilities and propose mitigations.
Vulnerability assessments shall be included as part of compliance with the continuous
monitoring of the system.
Anti-malware (e.g., virus, spam)
The Contractor shall design, implement, monitor and manage to provide comprehensive antimalware service. The contractor shall provide all maintenance for the system providing the antimalware capabilities to include configuration, definition updates, and comply with DHS’
configuration management / release management requirements when changes are required. A
summary of alerts shall be reported to DHS COTR in weekly status reports. If an abnormality or
anomaly is identified, the contractor shall notify the appropriate DHS point of contact in
accordance with the incident response plan.
Patch Management
The Contractor shall perform provide patch management services. The contractor shall push
patches that are required by vendors and the DHS system owner. This is to ensure that the
infrastructure and applications that directly support the DHS information system are current in
their release and that all security patches are applied. The contractor shall be informed by DHS
which patches that are required by DHS through the Information Security Vulnerability
Management bulletins and advisories. Core applications, the ones DHS utilizes to fulfill their
mission, shall be tested by DHS. However, the contractor shall be responsible for deploying
patches as directed by DHS. It is recommended that all other applications (host-based intrusion
detection system (HIDS), network intrusion detection system (NIDS), Anti-malware, and
Firewall) shall be tested by the contractor prior to deployment in a test environment.
Log Retention
Page 7 of 10

 Log files for all infrastructure devices, physical access, and anti-malware should be retained
online for 180 days and offline for three years.
Supply Chain Risk Management Requirement
Supply Chain risks result from adversarial exploitation of the organizations, people, activities,
information, resources, or facilities that provide hardware, software, or services. These risks can
result in a loss of confidentiality, integrity, or availability of information or information systems.
A compromise to even minor system components can lead to adverse impacts to organizational
operations (including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation.
Authorities:
Comprehensive National Cybersecurity Initiative (CNCI) Initiative 11, Develop MultiPronged Approach for Global Supply Chain Risk Management
Department of Homeland Security, Security Policy for Sensitive Systems 4300A
Homeland Security Presidential Directive 23, Cyber Security and Monitoring, 8 January
2008
Office of Budget and Management Circulation A-130, Appendix III
•National Institute of Standards and Technology, Special Publication 800-53, Revision 4,
Security and Privacy Controls for Federal Information Systems and Organizations,
April 2013
Supply Chain Risk Management
The following requirements should be included in all hardware and software requests to ensure
the confidentiality, integrity, and availability of government information.
The Contractors supplying the Government hardware and software shall provide the
manufacture’s name, address, state and/or domain of registration, and the Data Universal
Numbering System (DUNS) number for all components comprising the hardware and software.
If subcontractors or subcomponents are used, the name, address, state and/or domain of
registration and DUNs number of those suppliers must also be provided.
Subcontractors are subject to the same general requirements and standards as prime
contractors. Contractors employing subcontractors shall perform due diligence to ensure that
these standards are met.
The Government shall be notified when a new contractor/subcontractor/service provider is
introduced to the supply chain, or when suppliers of parts or subcomponents are changed.
Contractors shall provide, implement, and maintain a Supply Chain Risk Management Plan that
addresses internal and external practices and controls employed to minimize the risk posed by
counterfeits and vulnerabilities in systems, components, and software.
The Plan shall describe the processes and procedures that will be followed to ensure appropriate
supply chain protection of information system resources developed, processed, or used under
this contract.
Page 8 of 10

 The Supply Chain Risk Management Plan shall address the following elements:
1. How risks from the supply chain will be identified,
2. What processes and security measures will be adopted to manage these risks to the
system or system components, and
3. How the risks and associated security measures will be updated and monitored.
The Supply Chain Risk Management Plan shall remain current through the life of the contract or
period of performance. The Supply Chain Risk Management Plan shall be provided to the
Contracting Officer Technical Representative (COTR) 30 days post award.
The Contractor acknowledges the Government's requirement to assess the Contractors Supply
Chain Risk posture. The Contractor understands and agrees that the Government retains the
right to cancel or terminate the contract, if the Government determines that continuing the
contract presents an unacceptable risk to national security.
The Contractor shall disclose, and the Government will consider, relevant industry standards
certifications, recognitions and awards, and acknowledgments.
The Contractor shall provide only new equipment unless otherwise expressly approved, in
writing, by the Contracting Officer (CO). Contractors shall only provide Original Equipment
Manufacturers (OEM) parts to the Government. In the event that a shipped OEM part fails, all
replacement parts must be OEM parts.
The Contractor shall be excused from using new OEM (i.e. “grey market,” previously used)
components only with formal Government approval. Such components shall be procured from
their original genuine source and have the components shipped only from manufacturers
authorized shipment points.
For software products, the contractor shall provide all OEM software updates to correct defects
for the life of the product (i.e. until the “end of life.”). Software updates and patches must be
made available to the government for all products procured under this contract.
Contractors shall employ formal and accountable transit, storage, and delivery procedures (i.e.,
the possession of the component is documented at all times from initial shipping point to final
destination, and every transfer of the component from one custodian to another is fully
documented and accountable) for all shipments to fulfill contract obligations with the
Government.
All records pertaining to the transit, storage, and delivery will be maintained and available for
inspection for the lessor of the term of the contract, the period of performance, or one calendar
year from the date the activity occurred.
These records must be readily available for inspection by any agent designated by the US
Government as having the authority to examine them.
This transit process shall minimize the number of times en route components undergo a change
of custody and make use tamper-proof or tamper-evident packaging for all shipments. The
supplier, at the Government’s request, shall be able to provide shipping status at any time during
transit.

Page 9 of 10

 The Contractor is fully liable for all damage, deterioration, or losses incurred during shipment
and handling, unless the damage, deterioration, or loss is due to the Government. The
Contractor shall provide a packing slip which shall accompany each container or package with
the information identifying the contract number, the order number, a description of the
hardware/software enclosed (Manufacturer name, model number, serial number), and the
customer point of contact. The contractor shall send a shipping notification to the intended
government recipient or contracting officer. This shipping notification shall be sent
electronically and will state the contract number, the order number, a description of the
hardware/software being shipped (manufacturer name, model number, serial number), initial
shipper, shipping date and identifying (tracking) number.

Page 10 of 10