SOURCES SOUGHT
D -- IT Audit Services
- Notice Date
- 4/16/2008
- Notice Type
- Sources Sought
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- Department of the Treasury, Bureau of the Public Debt (BPD), Division of Procurement, Avery 5F, 200 Third Street, Parkersburg, West Virginia, 26106-5312
- ZIP Code
- 26106-5312
- Solicitation Number
- RFI-FIG-08-0023
- Point of Contact
- Bernie Kern,, Phone: 304-480-7003, Jane Oney,, Phone: 304-480-8004
- E-Mail Address
-
psb3@bpd.treas.gov, psb3@bpd.treas.gov
- Description
- The Bureau of the Public Debt’s on behalf of the Department of Homeland Security-Office of the Inspector General (DHS-OIG) is conducting market research to determine sources capable of information technology IT) audit services. The Contractor shall provide the following services: 1. External Vulnerability Test: Leverage security expertise, best-of-breed tools, and extensive field experience to discover and document security exposures that could be used to infiltrate a component’s network. 2. Internal Vulnerability Scanning: Determine the vulnerability of critical assets and provide an understanding of the relative impact an exploitation may have on business continuity. An Internal Assessment includes: ·Network Technical Testing – A comprehensive vulnerability scan of the in-scope servers and network devices using automated scanning tools, including network and database scanner tools to identify known vulnerabilities – Backdoors, Security Patch Level, CGI-Bin, Email, Web, FTP. ·Operating System Testing – Analysis of various components in identified operating systems using automated tools, including Internet Scanner to identify known vulnerabilities – Backdoors, Security Patch Levels, file permissions, registry permissions, operating system and Web server configurations, file system access control, services, sub-systems, network configurations, event logging. ·Database Testing – Conduct a series of technical checks on a sampling of Oracle, Microsoft SQL and Sybase databases using Database Scanner to identify known vulnerabilities — default accounts, user accounts, stored procedures, user permissions, password strength, event logging, patch levels. 3. External Penetration Testing Network Discovery and Reconnaissance Conduct network discovery testing of the network ranges as defined in the audit scope. Perimeter or Internal Attack Following reconnaissance, key vulnerabilities are exploited on perimeter or internal systems. Remote Exploitation Use avenues provided in the previous tasks to attempt further penetration into the network. It is extremely common that access obtained within a DMZ network can be leveraged to gain additional access indirectly. This task highlights that it is not only critical that DMZ or extranets be logically separated from internal segments, but that all information and data on external networks maintain a logical separation as well. 4. Application Assessment During this assessment, the Advanced Technology Division we perform the following tasks: Information Gathering In order to test a custom application, it is critical that Advanced Technology Division fully understand the application and its basic design. Technical Testing After the comprehensive review of the application, begin the technical testing phase. Apply the assessment testing methodology for all applications. The methodology was designed to cover all aspects of application security Application Testing Testing will leverage commercial application scanning tools, as well as an internal tool suite to identify potential weaknesses in the application. Many application-layer vulnerabilities manifest as a result of simple logic-flow issues, based on poor design. 5. Security Architecture Review Assess current network security measures as they compare to security best practices, business objectives and regulatory requirements. 6. Host Build Assessment Leverage security expertise, best-of-breed tools, and extensive field experience to discover and document security exposures that could be used to infiltrate a component’s network. 7. Firewall & Router Configuration Review Assess current configurations for in-scope firewalls and other devices, and conduct a comparison to security best practices and business objectives. 8. Security Policy Review Evaluate existing security policies, procedures and practices in relation to NIST standards, regulatory requirements and current agency objectives. 9. Social Engineering Assessment Attempt to discover sensitive company information by acting as a trusted internal employee or an untrusted user. 10 Wireless Penetration Testing The goal of this task is to assess the physical and logical wireless network environment to test the security of the network design and implementation. ·Identify, test and report the strengths and weaknesses of the WLAN ·Review the security capabilities and configuration of the implemented access points ·Verify the level of security prohibiting access by unauthorized associates and devices ·Verify the level of security to prohibit access by the general public ·Verify the level of security to guard against network attacks (i.e. hackers) ·Recommend improvements to the current Wireless Network Security Standards Please provide the following information if you have performed these services: 1. The name and location of your company, contact information, and identify your business size (Small Business, Large Business, Disadvantaged Business, 8(a), Service Disabled Veteran Owned Small Business, or HubZone) based on NAICS Code 541519, size standard $23.0m. Please ensure contact information includes the name of the point of contact, email address, telephone number and DUN’s number should the Government have questions regarding individual responses. 2. Whether your services are available through a GSA Schedule or Open Market. 3. Indicate if your company has a facility clearance and the type of clearance such as, secret or top secret. Also, indicate if your employees have a secret or interim clearances and the type of clearance. 4. Indicate the names of the Agencies you have previously performed these types of services including a point of contact at the Agency. Responses to this request must be submitted no later than 2:00 p.m. EST on April 30, 2008 and may be submitted electronically to PSB3@bpd.treas.gov to the attention of Bernadette Kern. The following file extensions are not allowable and application materials/data submitted with these extensions cannot be considered:.bat,.cmd,.com,.exe,.pif,.rar,.scr,.vbs,.hta,.cpl, and.zip files. Microsoft Office compatible documents are acceptable. No other information regarding this RFI will be provided at this time. This notice does not restrict the Government to an ultimate acquisition approach. All firms responding to this sources sought notice are advised that the response is not a request that will be considered for contract award. All interested parties will be required to respond to any resultant solicitation separately from their response to this sources sought notice. Interested offerors may register at http://www.fedbizopps.gov to receive notification when the solicitation and any amendments are issued and available for downloading. Please note that the General Services Administration provides the notification service as a convenience and does not guarantee that notifications will be received by all persons on the mailing list. Therefore, we recommend that you monitor the FedBizOpps site for all information relevant to desired acquisitions. If the Internet option is not available to you, you may receive a hard copy of the solicitation and any amendments (via U.S. Mail) by faxing your request to (304) 480-7204 or e-mailing your request to PSB3@bpd.treas.gov.
- Web Link
-
FedBizOpps Complete View
(https://www.fbo.gov/?s=opportunity&mode=form&id=11e4a2771aa91a0ecd93d77030b268c8&tab=core&_cview=1)
- Place of Performance
- Address: Washington, District of Columbia, 20528, United States
- Zip Code: 20528
- Zip Code: 20528
- Record
- SN01555075-W 20080418/080416215739-11e4a2771aa91a0ecd93d77030b268c8 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |