Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF SEPTEMBER 03, 2009 FBO #2840
SOLICITATION NOTICE

D -- OSHA WEBIMIS

Notice Date
9/1/2009
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of Labor, Office of the Assistant Secretary for Administration and Management, Procurement Services Center, S-4306 200 Constitution Avenue, NW, Washington, District of Columbia, 20210-0001, United States
 
ZIP Code
20210-0001
 
Solicitation Number
DOL099RP20774
 
Archive Date
9/30/2009
 
Point of Contact
Crystal Brown, Phone: 202-693-7162, Jennifer A Snook, Phone: 202-693-4585
 
E-Mail Address
brown.crystal@dol.gov, snook.jennifer@dol.gov
(brown.crystal@dol.gov, snook.jennifer@dol.gov)
 
Small Business Set-Aside
Competitive 8(a)
 
Description
THIS IS A COMBINED SYNOPSIS/SOLICITATION FOR COMMERCIAL ITEMS PREPARED IN ACCORDANCE WITH THE FORMAT IN FAR SUBPART 12.6-STREAMLINED PROCEDURES FOR EVALUATION AND SOLICITATION FOR COMMERCIAL ITEMS-AS SUPPLEMENTED WITH ADDITIONAL INFORMATION INCLUDED IN THIS NOTICE. THIS ANNOUNCEMENT CONSTITUTES THE ONLY SOLICITATION; QUOTATIONS ARE BEING REQUESTED, AND A WRITTEN SOLICITATION DOCUMENT WILL NOT BE ISSUED. This is a solicitation of Purchase Request F1W3L38218A001 and is issued as a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2005-26.The associated North American Industrial Classification System (NAICS) code for this procurement is 541519 with a small business size standard of $25 million. This acquisition is set aside for 8a competition. All responsible Contractors shall provide a quote for the following: I.INTRODUCTION Every three years (or when a significant change occurs), all Department of Labor (DOL) major information systems must undergo independent certification by a Certifying Agency (CA) to determine if the correct information security protections have been selected, and if the selected controls are implemented correctly and are operating as expected through a security controls assessment. OSHA’s Web Integrated Management Information System (WebIMIS), a small General Support System (GSS), was granted short term Authority to Operate (ATO) on March 31, 2009. The WebIMIS Short-Term ATO expires on March 31, 2010. The purpose of this task is to acquire the services of a contractor to perform the DOL-prescribed role and responsibilities of Certifying Agent for the WebIMIS to achieve full re-certification and re-authorization to operate by March 31, 2010. The task shall include review of the WebIMIS security documentation, perform system testing, including a Security Controls Assessment (SCA), vulnerability, and penetration testing with recommendations for correction, interviews, observations, and preparation of CA-required documentation. II.BACKGROUND Based on federal requirements and mandates, the Department of Labor is responsible for ensuring that DOL agencies meet the minimum security requirements defined in the Federal Information Processing Standards (FIPS) Publication (PUB) 200, Minimum Security Requirements for Federal Information and Information Systems. All DOL information systems must meet the security requirements through the use of the security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems. The Department has developed certification and accreditation procedures to ensure the integrity, confidentiality, and availability of its information and information systems. The procedures include the requirement for the agency’s Designated Approving Authority (DAA) to designate a certification agent (CA) to perform the following responsibilities: •Review the security documentation for the system to determine that the controls selected for the information system are adequate. •Develop an assessment plan to evaluate the adequacy and completeness of the information system’s security mechanisms, including the controls documented in the system security plan, and measure the degree of consistency between the system’s security documentation and its actual implementation •Refine and document assessment procedures consistent with NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. • Perform an assessment of the security controls. •Analyze the assessment results to determine whether the security protections are complying with the security requirements documented in the SSP and to verify that the security controls identified in the plan are implemented correctly and operating effectively. •Develop and provide an assessment report(s) to the DAA that documents the results of the testing activities, including the current status of the security protections for the information system, as well as conclusions and recommendations for mitigating findings. •Prepare other required Certifying Agent documentation, including transmittal memorandum and certification sheets for the final ATO package. III.SCOPE OF WORK This Task Order shall support completion of all the tasks necessary to review the existing certification documentation available, to perform the necessary testing of the WebIMIS system to ensure that the environment adheres to the terms of the Department of Labor Security Policy, and to certify that the system is ready for its Authority to Operate. The WebIMIS is a small general support system that consists of 6 minor applications with three parallel environments. The environment consists of development, test and production. Additionally, the WebIMIS has a Hot Site. In each environment, there are two components, the Oracle Application Server and the Oracle Database Server. Both servers are running on a Sparc Solaris 10 platform running Oracle AS 10g (10.1.2.3.0) and Oracle DBMS (10.2.0.4.0). These applications can be accessed via a Web browser client. The following components are installed on the application server. •Oracle Reports •Oracle Forms •Oracle Single Sign On •Oracle Portal •Oracle Discoverer •Oracle Web Clipping •Oracle Metadata Repository The WebIMIS module is divided into the following components: •Client Web Component, •Web Application Component, •Database Component, •Oracle Reports Component The Database consists of the following installed components; •Minor Application Schemas •Oracle Internet Directory •Oracle Enterprise Manager GRID Control – Development Only WebIMIS is an application that is accessed over a Web browser client. The system can be accessed within the OSHANet or over the OSHA Citrix solution or directly over the Internet. Users are authenticated to the network through unique user IDs and passwords provided by the inherited controls from the network. Application users are authenticated to the application by user ids and passwords managed by the Oracle Single Sign On Component. The users’ roles are retrieved from the LDAP directory and used by the WebIMIS applications servers to produce customized menus containing links to forms, reports and other functions, based on each user’s individual roles and privileges. All WebIMIS servers and applications are housed at the OSHANet and WebServices data centers. IV.STATEMENT OF WORK Under this statement of work, the contractor shall: 1.Review WebIMIS Security Documentation provided by the system owner and provide feedback The system owner will transmit the following documentation for certification agent’s review and feedback: •System Security Plan – Provides system and security control descriptions as well as their current implementation status. •Risk Assessment – Outlines the threats, threat sources, vulnerabilities, expected rates/probability of occurrence and residual risk that come from operating the system. •Privacy Impact Assessment (PIA) – Determines the extent of privacy information stored or processed on the information system for later risk assessment. •FIPS 199 Security Categorization – Records the various types of information types stored on the system to determine minimum Federal information security protection requirements. •System Categorization Worksheet (SCW) (Inventory Documentation) – Provides system description information and describes the system boundaries. •Incident Response Plan – Defines how the organization responds to information security incidents. •Contingency Plan (CP) – Identifies the critical business processes, their priorities related to the agency mission and the steps needed to restore those processes should a major contingency happen. •Contingency Plan Test Results – The report and lessons learned resulting from the most current CP Test. •POA&M – A listing of all identified weaknesses, the level of effort and expected completion dates for all information security weaknesses identified for the system. •Information system Interconnection Agreements •System-specific policies and procedures •Security Controls Testing & Evaluation Reports Results •Office of the Inspection General (OIG) Findings & related reports •Vulnerability Scans Results •WebIMIS Short-Term ATO documents 2. Interview OSHA Staff The Contractor shall interview the System/Information Owner and appropriate technical staff. The purpose of the interviews will be to obtain up-to-date information about the system’s functionality and sensitivity, obtain additional information that is needed to fill in the blanks in the documentation (if any), and to meet NIST-prescribed methods for assessing security controls. 3. Develop Test Plans and Conduct a Security Controls Assessment The certification agent will develop test plans and conduct a Security Controls Assessment to include: •Security Controls Assessment – The Contractor will conduct a security controls assessment. The purpose of the SCA is to determine whether the security protections are complying with the security requirements documented in the System Security Plan (SSP) and to verify that the security controls identified in the SSP are implemented correctly and operating effectively. The assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. The interview method is the process of conducting discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. In all three assessment methods, the results will be used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure. •Vulnerability Assessment - Using vulnerability testing tools, the Contractor will examine of a representative subset of the WebIMIS security infrastructure will be conducted to identify security vulnerabilities that may compromise the system. At a minimum, the security assessment will address: oKnown vulnerabilities (such as sample code that comes with software packages, buffer overflow-type weaknesses, etc.) oVerification that: 1) Only a minimal number of necessary services is installed on the devices; 2) No default settings, including default account names (such as “administrator”) are used; 3) Password and user name rules are followed; and, 4) The software patches, especially those that are security related, are current. oSecurity policies and procedures and their enforcement oPhysical security of facilities and equipment housing the information system oUse of application security features, including user administration and access control oSusceptibility to non-technical attacks oUnintended use by OSHA personnel oSuitability of technical security controls oAudit means to detect unauthorized actions by internal and external users, to capture evidence of successful and unsuccessful attempts of tampering •External Penetration Test - The contractor shall assess the capabilities of WebIMIS security to detect and block unauthorized access attempts, as well as to test the security of devices which must be open in some respect to external access, such as Web servicers, remote access servicers, and other special purpose devices. Penetration tests shall be conducted through the public Internet. All tests must be coordinated and pre-approved by OSHA. The Contractor shall provide OSHA with the IP addresses from which the tests will be conducted. The contractor shall not conduct test which may degrade availability or alter configuration or data on tested devices. 4. Prepare documents required of the Certifying agent for the WebIMIS C&A package •The Contractor must prepare four worksheets and a transmittal memorandum to the Designated Approving Authority (DAA). V.DELIVERABLES Deliverables for the contract shall include: 1.Project Management Plan – The project management plan is to be delivered two weeks after the start of the project. This document will be updated bi-weekly during the course of the project, based on results of the various tasks identified and future plans within the project. 2.System Security Documentation Review Report – Draft and Final – The report shall address required content, errors, inconsistencies, or omissions required to complete the certification process. 3.Rules of Engagement – Draft and Final – The Rules Of Engagement (ROE) will specify the rules to be followed during the course of system testing, t, and will include the set of test tools to be used to accomplish the testing. The full content and format of the ROE will be determined in concert with the Federal Project Monitor. 4.Test Plans (SCA, Vulnerability Assessment (VA) & External Penetration) – Draft and Final - Separate test plans or a consolidated test plan may be submitted. The SCA plan format and content will be consistent with DOL guidelines. The format and content of the VA & Penetration Tests Plans will be determined in concert with the Federal Project Monitor. 5.Test Reports – Draft and Final – The test reports will document the results of the tests activities, including any deficiencies. The SCA test results will be recorded using the DOL-prescribed Security Controls Assessment procedures and Results template. The Vulnerability and Penetration Reports shall, at a minimum, include the following subjects: purpose and objectives of the report, concise description of the application/target assessed, identification and specification of the security vulnerabilities, identification and specification of potential threats to the information system, mission impact analysis, and countermeasure analysis. In addition, the reports will also include recommended measures necessary to prevent security breaches, to capture the necessary evidence of successful or unsuccessful attempts to gain unauthorized access, and to ensure that the transmittal of sensitive information is secured from unauthorized capture or access. 6.Certification and Accreditation Documentation – As the certifying agency, the Contractor must prepare and deliver the following DOL-required documentation for the WebIMIS C&A package: •Worksheet 1 – System Overview - This worksheet provides information on the system identification, system environment, and sensitivity of information handled. Most of the information required for Worksheet 1 can be obtained from the System Categorization Worksheet (SCW) and the SSP. •Worksheet 2 – Identified Vulnerabilities, Risks, and Security Controls - Worksheet 2 matches existing security controls with identified vulnerabilities and risks. Much of the information required can be obtained from the system Risk Assessment Report which should be attached as a reference. •Worksheet 3 – Security Controls Assessment Summary Report -This worksheet documents the results of Security Controls Assessment completed on the security controls listed in the SSP. The full Security Control Assessment Report should be attached as a reference. •Worksheet 4 – Certification Statement - Worksheet 4 is the certification statement from the certification agent to the DAA certifying that the security controls adequately protect the system. Restrictions and comments are provided. The certification statement validates that the system’s security POA&M addresses all remaining corrective actions and references the specific POA&M (providing system name, quarter, and year) in the letter and the POA&M should be attached. The certification statement also includes a recommended list of acceptable residual risks. The certification statement is for all DOL information systems. When all security requirements and security testing is complete, the Certification Package documents will be provided to the DAA for issuance of an ATO. •Transmittal Memo 1 – Certification Agent Recommendation Transmittal Memorandum The second transmittal memo is from the certification agent to the DAA summarizing the certification findings and providing a recommendation for the accreditation decision. Instructions and templates for preparing the deliverables identified above will be provided by OSHA. 7.Submit with all monthly invoices: a.Monthly Progress Reports b.Timesheets c.Sign In/Out Logs d.Receipts for Other Direct Costs VI.SCHEDULE FOR DELIVERABLES Key Milestones for the task include: MilestoneDue Date/Timeframe Deliver Project Management PlanInitial PMP – within 2 wks of project start & Bi-weekly thereafter Deliver System Security Documentation Review Final ReportNovember 30, 2009 Complete System Testing, including SCA, Vulnerability & Penetration TestsJanuary 29, 2010 Deliver Final Assessment Report(s)February 26, 2010 Deliver CA ATO Documentation,March 5, 2010 including The final schedule and formats for deliverables, to the maximum extent practicable, will be determined in concert with the Federal Project Monitor. Designated deliverables shall be submitted, using Attachment A as the cover sheet. VII.REPORTS AND MEETINGS The Contractor is required to provide OSHA with weekly written status reports (e-mail messages are acceptable). These are due to OSHA no later than COB Monday of each week. The status reports shall cover all work completed during the preceding week and shall present the work to be accomplished during the subsequent week. The report shall also identify any problems encountered or still outstanding with an explanation of the cause and resolution of the problem or how the problem will be resolved. The Contractor will also conduct brief status meetings when requested by the Federal Project Manager, or OSHA’s COTR. VIII.PLACE OF PERFORMANCE The Contractor shall complete the work associated with the task at the Contractor’s own facilities or at OSHA Headquarters located in Washington D.C., when required. IX.TRAVEL No travel is anticipated for this task. Remote testing of WebIMIS components located in Salt Lake City, UT is assumed. X.ESTIMATED LEVEL OF EFFORT This is a Firm-Fixed Price Task. The vendor will provide a quote for the Statement of Work. Labor CategoryHoursRateTotal Subtotal: ODCs – None 0.00 Total: XI.PERIOD OF PERFORMANCE The period of performance is from the date of award through April 16, 2010. XII.GOVERNMENT FURNISHED PROPERTY, EQUIPMENT AND INFORMATION The Government will provide the Contractor with systems and documentation access as appropriate. The Government will provide all available procedural guides, standards, and reference materials and other pertinent documentation. The Government will also facilitate meetings between the Contractor and Information Systems staff, when required. XIII.OTHER SPECIAL REQUIREMENTS Contractor Furnished Software The contractor will provide applicable security testing tools. The technical testing tools, at a minimum, must include an industry standard web application testing tool and a credentialed vulnerability scanner – one which logs onto the server. Confidentiality and Nondisclosure The interim and final deliverables and all associated working papers and other material deemed relevant by OSHA that have been generated by the Contractor in the performance of this contract are the property of the U.S. Government and must be submitted to the COTR at the conclusion of the contract. XIV.SECURITY Contract staffs are required to conform to OSHA’s security and privacy requirements as described below. Security The Contractor will comply with the Computer Security Act of 1987. All products and deliverables developed under this Contract will comply with DOL and OSHA Computer Security guidelines and the guidelines contained in OMB Circular A130. All Contract staff working in OSHA office space and/or using OSHA LAN/WAN and computer systems to perform duties under this Contract will agree to and sign the OSHA Rules of Behavior for Computer Use and a Non-disclosure Agreement. A copy of each signed and witnessed Non-Disclosure agreement shall be submitted to the Project Officer prior to the employee performing any work under any task order. The Contractor will be responsible for ensuring compliance by its employees with the security regulations of OSHA and other Government installations or Contractor facilities where work is performed under this Contract. This includes the safekeeping and display of a government-provided photo ID badge for employees of the Contractor and any subcontractor while these employees are in federally owned or leased property. The Contractor will ensure the security of all OSHA property, building ID badges, key cards and standard keys issued to Contractor staff. For employees leaving the project permanently or for an extended period of time, the Contractor will return all badges, property, key cards, parking placards, and keys the same day the employees leave the project. Background Investigations OSHA’s data and work environment is considered sensitive and in some instances classified. OSHA is required, under the Homeland Security Presidential Directive (HSPD) 12 “Policy for a Common Identification Standard for Federal Employees and Contractors,” to perform background investigations for Contractors. The National Agency Check and Inquiries (NACI) and the Minimum Background Investigation (MBI) are forms of background investigations that are conducted through the Office of Personnel Management. These investigations will be conducted for contractor staff assigned to this Contract. Contractor staff will be required to provide two forms of acceptable identification and to be finger-printed. Successful clearance is required for a contractor employee to continue working under this Contract. Privacy Portions of information disclosed during the performance of this Contract are protected by the provisions of the Privacy Act of 1974; therefore, all personnel assigned to this Contract are required to take proper precautions to protect the information from disclosure. Ownership All products and deliverables developed under this Contract are the property of the U.S. Government and the Occupational Safety and Health Administration. Commitment to Protect Sensitive Information The Contractor shall not release, publish, or disclose sensitive or classified information to unauthorized personnel, and shall protect such information in accordance with provision of the following laws and any other pertinent laws and regulations governing the confidentiality of sensitive or classified information: 18 U.S.C. 641 (Criminal Code: Public Money, Property or Records) Required Security Training All contractor employees must receive security training prior to being given access to OSHA and DOL systems and periodically thereafter are required by DOL/OSHA security policies. XV.SECTION 508 REQUIREMENTS If applicable, the contractor shall be required to operate under reasonable accommodations for special needs employees pursuant to recent legislation. OSHA shall be responsible for procuring any necessary equipment and software needed by special needs employees utilized by the Contractor. Place of delivery for acceptance and FOB point: OSHA, Directorate of Info Tech, U. S. Department of Labor, 200 Constitution Avenue, NW N3661, Washington, DC 20210. Additionally, offers of equal quality must include a copy of the technical description and/or product literature. The following provisions apply to this acquisition: 52.211-5 Brand Name or Equal; FAR 52.212-1 is supplemented per following addenda: “Contractor shall submit their quote on company letterhead, delivery time, name, address, and telephone number of the offeror, unit price, and overall total price; 52.212-3 Offerors Representations and Certifications- Commercial Items; 52.212-3 Alt I Offerors Representations and Certifications- Commercial Items; 52.212-4 Contract Terms and Conditions Commercial Items; 52.212-5 (Dev) Contract Terms and Conditions Required to Implement Statutes or Executive Orders Commercial Items including subparagraphs: 52.219-6 Notice of Total Small Business Set-Aside; 52.219-28 Post-Award Small Business Program Representation; 52.222-3, Convict Labor; 52.222-19 Child Labor Cooperation With Authorities And Remedies; 52.222-21, Prohibition of Segregated Facilities; 52-222-26, Equal Opportunity; 52.222-36, Affirmative Action for Workers with Disabilities; 52.222-50 ; 52.225-3 Buy American Act - Free Trade Agreements - Israeli Trade Act; 52.225-13 Restriction on Certain Foreign Purchases; 52.232-33, Payment by Electronic Funds Transfer-Central Contractor Registration; 52.333-3 Protest After Award; 52.233-4 Applicable Law for Breach of Contract Claim; 52.252.2 Clauses Representations and Certifications located at http://orca.bpn.gov/ in accordance with FAR 4.1201(a). This is best-value procurement. Award will be made to the offeror whose offer conforming to the solicitation is determined to be most advantageous to the Government, price and other factors considered. The Government intends to evaluate offers and award without discussion. Offeror shall submit all information with offer as required in 52.212-1. Offerors may obtain copies of the reference provisions and clauses at: http://arnet.gov/far. Quotations must be received by September 11, 2009, 11:00 am (Eastern Standard Time). Quotations shall be submitted to via e-mail to: U.S. Department of Labor – OASM, Attn: Crystal Brown – Room S-4306, 200 Constitution Avenue, NW, Washington, DC 20210
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DOL/OASAM/WashingtonDC/DOL099RP20774/listing.html)
 
Place of Performance
Address: 200 Constitutiion Avenue, Washington, District of Columbia, 20210, United States
Zip Code: 20210
 
Record
SN01935693-W 20090903/090902004301-56db4c1d7924e702e9e8c7f819682f8a (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.