Hack the Box Class Vouchers/License

v4.10_DECEMBER2025 1 STATEMENT OF WORK (SOW)/PERFORMANCE WORK STATEMENT (PWS) Hack the Box 1.0 Background The NUWC Red Team (NUWC RT) and the Federated Red Team Member Program (FRTMP) operators require continuous training to learn new tactics, techniques, and procedures to refine and increase their technical skills. Having access to continuous training allows the operators to perform the training they need when they have time available outside of normal operations. Since NUWC RT and FRTMP operators require a varied set of cybersecurity skills to accomplish their tasking, they have looked for vendors that could fulfill the need. The Hack the Box (going forward identified as the contractor) has been identified as the best “one-stop shop” to acquire the required training. Due to the fluctuating offering dates and normal operation dates, it has been identified that asking for class vouchers would be a more suitable alternative rather than asking for class seats on specific class offers. The contractors shall deliver the requirements outlined in section 4.0 1.1 Places of Performance The participants can either take the classes online with a virtual instructor, or they can register for a public course offering in person. 1.2 Authorized Users The members of the NUWC Red Team (NUWC RT) or Federated Red Team (FRTMP) are the only authorized users. 1.3 Sponsors NUWCDIUVNPT. Funding is provided by Code 90 Overhead Budget. 1.4 Types of Funding Funding is provided by Code 90 Overhead Budget. 2.0 Scope The award shall be for a minimum of four (4) individual class vouchers/licenses redeemable until 31 December 2027. 2.1 Program or Systems Supported NUWC Red Team (NUWC RT) and Federated Red Team Member Program (FRTMP). 3.0 Applicable Documents N/A 4.0 Technical Requirements -- 1 of 4 -- v4.10_DECEMBER2025 2 4.1 The contractor shall provide at least (5) class vouchers/licenses. 4.2 The contractor shall only redeem class vouchers/licenses as requested by the TPOC. 4.3 The contractor shall provide trainers qualified to facilitate the “in person” and “live online” training options. 4.4 If the “In-person” version of a class is selected, the contractor shall provide an off-site location within CONUS, equipped to facilitate the training. 4.5 If the “live online” or “on demand” version of a class is selected, the class environment shall be operational 99.9% for the duration of the class. 4.6 The contractor shall provide remote troubleshooting assistance for student web connectivity and training related issues, for each seat, for the duration of class. 5.2 Training No training is required for the contractor employees. 5.0 Government Furnished Information No Government furnished property, material or information will be provided with this contract. 7.0 Government Furnished Property No Government furnished property, material or information will be provided with this contract. 8.0 Quality Surveillance and Performance Standards N/A 9.0 Information and Communication Technology (ICT) Accessibility Requirements The Government has determined that this procurement is not Information and Communication Technology (ICT). 10.0 Security Compliance 10.1 Program Protection SECURITY: All Contractor personnel shall adhere to the Security provisions of 32 CFR Part 117 – National Industrial Security Program Operating Manual (NISPOM). While performing work at a Government Facility, Contractor personnel shall comply with the security regulations of the host facility. Applicable FAR, DFARS, NMCARS clauses, and NAVSEA text shall be adhered to in the performance of this contract. Security incidents shall be promptly reported through the -- 2 of 4 -- v4.10_DECEMBER2025 3 companies Facility Security Officer (FSO), to the Contracting Officer’s Representative (COR), Technical Point of Contact (TPOC), and the Cognizant Security Office to NUWCDIVNPT Security. Controlled Unclassified Information (CUI) including Legacy FOUO and Covered Defense Information (meeting the definition of 48 CFR 252.204–7012(a)) generated and/or provided under this contract shall be marked and safeguarded as specified in DoD Instruction 5200.48, CUI available at: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF. Any product containing Covered Defense Information shall be assigned a distribution statement (distribution statements B through F) in accordance with DoDI 5230.24 (Distribution Statements on Technical Documents); and DoDI 5230.24, Enclosure 3 Procedures, available at https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf INFORMATION SECURITY: If the work is performed at the Contractor's facility, the Contractor shall implement and maintain security procedures and controls to prevent unauthorized disclosure of classified information and controlled unclassified information (CUI) and to control distribution of CUI in accordance with National Industrial Security Program Operating Manual (NISPOM) codifying 32 CFR Part 117, NISPOM Rule, and SECNAV M- 5510.36B. If the work is performed at the Government's facility, the Contractor shall comply with facility policy. CUI INCIDENT REPORTING AND RESPONSE: The Contractor shall promptly report any unauthorized, inadvertent, or illegal release or disclosure of CUI to the Contracting Officer’s Representative / Technical Point of Contact (TPOC), Procuring Contracting Officer, and the Security Office. Contractor personnel shall coordinate this effort through the relevant industry site FSO. PUBLIC RELEASE: Any controlled unclassified information pertaining to this contract shall not be released for public dissemination, including posting to any social media sites such as Facebook or Twitter, unless it has been approved for public release by appropriate U.S. Government authority. Proposed public releases shall be submitted for approval prior to release through the appropriate U.S. Government Office. 10.2 Operations Security (OPSEC) OPSEC is a process that identifies critical info…