Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF SEPTEMBER 09, 2010 FBO #3211
SOLICITATION NOTICE

R -- Certification and Accreditation of USADF Information Systems

Notice Date
9/7/2010
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
812990 — All Other Personal Services
 
Contracting Office
African Development Foundation, Contracts Office, African Development Foundation, Washington, DC, 1400 Eye Street, N.W., Suite 1000, 10th Floor, Washington, District of Columbia, 20005
 
ZIP Code
20005
 
Solicitation Number
ADF-10-Q-400
 
Archive Date
10/12/2010
 
Point of Contact
Contracting Officer, Phone: 202-233-8800
 
E-Mail Address
adfcontractbids@usadf.gov
(adfcontractbids@usadf.gov)
 
Small Business Set-Aside
Total Small Business
 
Description
The African Development Foundation Certification and Accreditation of USADF Information Systems Introduction The United States African Development Foundation (ADF) is an independent Federal agency established to support African-designed and African-driven solutions that address grassroots economic and social problems. ADF provides grants directly to under-served and marginalized community groups and enterprises. The grants help organizations create tangible benefits such as increasing or sustaining the number of jobs in a community, improving income levels, and addressing social development needs. ADF is a public corporation with a seven member Board of Directors who are nominated by the President and confirmed by the United States Senate. ADF is a Federal grant-making public corporation and can be characterized as a micro-agency with 50 staff members in Washington. Washington staff communicates with approximately 100 contractors and partners in 20 countries in Africa via email and telephone. ADF's annual budget is approximately $30 million per year. To support its mission and the work of its staff, the Foundation operates an internal computer network. Network integrity and reliability is critical to ADF's operations and e-mail and Internet connectivity is critical to ADF's ability to work with its partners and clients throughout Africa. The ADF network is best characterized as a Wide Area Network (WAN) and includes various servers, client computers, printers, firewalls, intrusion detection systems, offline storage devices, routers, switches and other devices deployed both in our offices in Washington, DC, and in Africa. The internal network utilizes Microsoft Windows operating systems and application software. In addition to internal operations, the WAN provides for Internet e-mail and Internet connectivity for ADF. Statement of Work Scope This Statement of Work presents two tasks both of which will examine two systems at USADF. System 001- USADF Wide Area Network (WAN) The (WAN) comprises the system of routers, switches, firewalls, servers, and conduits that supporting the connectivity of the USADF wide area network and provides the single interface to the VERIZON backbone network for Internet access. This infrastructure and WAN connectivity is bounded by a border/gateway router and perimeter firewall and includes software and hardware applications, workstations, servers and switches. System 002- USADF Program Support Systems (PSS) The Program Support Systems (PSS) is comprised of system applications that support the Foundation's organizational requirements, under the management of the Management Division. The (PSS) is comprised of the following mission support applications: • Grants Management Database (GMDB) Application • Pro Req Procurement System • ADF Web Software Application I. Risk Assessment The contractor shall perform a risk assessment on the two specified systems. Along with other elements of the U.S. African Development Foundation information security plans, the assessment of risk is an important activity that directly supports security accreditation as required by the Federal Information System Management Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, Appendix III. Risk assessments influence the development of the security controls for information systems and generate much of the information needed for the associated system security plans. The risk assessment shall be performed in consideration of the requirements outlined in the Federal Information Processing Standard (FIPS) 200, "Minimum Security Requirements for Federal Information and Information Systems", and characterize the information processed by the specified system using the (FIPS) 199, "Standards for Security Categorization of Federal Information and Information System". In addition, the processes and controls presented in the following National Institute of Standards and Technology (NIST) Special Publications shall be followed and referenced as well, including: • National Institute of Standards and Technology Special Publication 800-37 Rev 1, "Guidelines for Security Certification and Accreditation of IT Systems", (February 2010). • National Institute of Standards and Technology Special Publication 800-53, Rev 3, "Recommended Security Controls for Federal Information Systems and Organizations", (August 2009). • National Institute of Standards and Technology Special Publication 800-60, Volume I-Rev 1, "Guide for Mapping Types of Information and Information Systems to Security Categories" and Volume II-Rev 1 "Appendices to Guide for Mapping Types of Information and Information Systems to security Categories", (August 2008). The risk assessment will accomplish the following tasks. 1. Identification of the information types processed by the system associated with the appropriate NIST SP 800-60 information type; the appropriate information sensitivity for confidentiality, integrity, and availability; and the rationale for the sensitivity. 2. Identification of Specified system user types and associated roles and responsibilities. 3. Identification of risk assessment team members and their associations. 4. A description of the risk assessment approach and techniques, where the techniques include documentation review, interviews, observation, and hands-on system assessment. 5. A description of the risk scale used, including at a minimum, the potential impact as defined in FIPS (199), and likelihood as defined in NIST SP 800-30, "Risk Management Guide for Guide for Information Technology Systems". 6. A list of potential system vulnerabilities. 7. A list of potential threat-sources applicable to the system, including natural, human, and environmental threat-sources. 8. A table of vulnerability and threat-source pairs and observations about each. 9. Detailed findings for each vulnerability and threat-source pair discussing the possible outcome if the pair is exploited; existing controls to mitigate the pair; the likelihood determination as high, moderate, or low; the impact determination expressed as high, moderate, or low; the overall risk rating based upon the risk scale; and the recommended controls to mitigate the risk. 10. A summary that includes the number of high, moderate, and low findings and provides a list of prioritized action items based upon the findings. The risk assessment shall be documented in a report that follows the US Nuclear Regulatory Commission Template for Risk Assessment Report. The report shall be delivered in draft form and then in final form after ADF comments are incorporated. The ADF IT Security staff review of the draft is required to ensure compliance. The ADF Senior IT Security Officer must approve the final to enable system accreditation. The contractor will track any residual risk in the Plan of Action and Milestones (POA&M). The contractor shall document the results of the process. This shall include documenting the risk number, a description of each risk, the type of risk (i.e., impacting the confidentiality, integrity, or availability), the level of risk (i.e., low, moderate, or high), the associated controls, and the action(s) required or actually performed to eliminate or minimize each risk. The goal is for ADF and contractor personnel to remediate all high and moderate security findings, and track the remaining security findings in the POA&M. II. Security Testing and Evaluation The contractor shall perform security tests and evaluations (ST&Es) on two specified systems. The purpose of these tests and evaluations is to examine compliance with the security requirements documented in the systems' security plans and to verify that the security controls identified in the plan are correctly implemented. The testing and evaluation process is to provide a report for each system and its components with regard to the security status of each as they are examined during the test period. The overall objective of the ST&Es is to ensure that a comprehensive test is successfully completed that covers all appropriate security requirements, involves all necessary individuals, and ultimately provides the information needed to support the Certification & Accreditation (C&A) process. The accepted processes will examine the systems in their production environment as hosted and supported by ADF. Interviews with system users and network support personnel from ADF will provide supporting information and insights into the implementation and operation of this system. The ST&E effort will accomplish the following tasks. 1. Review system documentation. 2. Review results of system Risk Assessment. Identify key areas of interest. 3. Establish schedule for interviews and vulnerability scans. 4. Conduct interviews. Perform vulnerability scans. 5. Consolidate information gathered from interviews, scans, and checklists. 6. Analyze results. 7. Compile documentation for ST&E reports including information on the testing tools used. 8. Prepare recommendations / final report. This ST&E will be performed in accordance with the following: Publications, Policies, Directives and Instructions • Committee on National Security Systems (CNSS) Instruction 4009, "National Information Assurance Glossary", (June 2006). • Committee on National Security Systems (CNSS) Instruction 1253, "Security Categorization and Control Selection for National Security Systems", (October 2009). • Office of Management and Budget (OMB) Circular No. A-123, "Management Accountability and Control", (December 2004). • Office of Management and Budget (OMB) Circular No. A-130, Appendix III, "Security of Federal Automated Information Resources", (November 2000). • Office of Management and Budget Memorandum M-02-01, "Guidance for Preparing and Submitting Security Plans of Action and Milestones", (October 2001). • Office of Management and Budget, Federal Enterprise Architecture (FEA) Program Management Office, FEA, "Consolidated Reference Model Document", October 2007. • Office of Management and Budget, Federal Enterprise Architecture (FEA) Program Management Office, FEA, "Practice Guidance", (November 2007). Standards • National Institute of Standards and Technology Federal Information Processing Standards Publication 199, "Standards for Security Categorization of Federal Information and Information Systems", (February 2004). • National Institute of Standards and Technology Federal Information Processing Standards Publication 200, "Minimum Security Requirements for Federal Information and Information Systems", (March 2006). Guidelines • National Institute of Standards and Technology (NIST) Special Publication (SP) 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems", (September 1996). • National Institute of Standards and Technology Special Publication 800-18, Rev 1, "Guide for Developing Security Plans for Federal Information Systems", (February 2006). • National Institute of Standards and Technology Special Publication 800-27, Rev A, "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)", (June 2004). • National Institute of Standards and Technology Special Publication 800-30, "Risk Management Guide for Guide for Information Technology Systems", (July 2002). • National Institute of Standards and Technology Special Publication 800-37 Rev 1, "Guidelines for Security Certification and Accreditation of IT Systems", (February 2010). • National Institute of Standards and Technology Special Publication 800-39 (Second Public Draft), "Managing Risk from Information Systems: An Organizational Perspective", (April 2008). • National Institute of Standards and Technology Special Publication 800-53, Rev 3, "Recommended Security Controls for Federal Information Systems and Organizations", (August 2009). • National Institute of Standards and Technology Special Publication 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans", (July 2008). • National Institute of Standards and Technology Special Publication 800-59, "Guideline for Identifying an Information System as a National Security System", (August 2003). • National Institute of Standards and Technology Special Publication 800-60, Volume I-Rev 1, "Guide for Mapping Types of Information and Information Systems to Security Categories" and Volume II-Rev 1 "Appendices to Guide for Mapping Types of Information and Information Systems to security Categories", (August 2008). • National Institute of Standards and Technology Special Publication 800-64, Rev 1, "Security Considerations in the Information System Development Life Cycle", (June 2004). • National Institute of Standards and Technology Special Publication 800-70, "Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers", (May 2005). • National Institute of Standards and Technology Special Publication 800-83, "Guide to Malware Incident Prevention and Handling", (November 2005). • National Institute of Standards and Technology Special Publication 800-94, "Guide to Intrusion Detection and Prevention Systems (IDPS)", (February 2007). • National Institute of Standards and Technology Special Publication 800-100, "Information Security Handbook: A Guide for Managers", (October 2006). • African Development Foundation, "IT Security Program Policy and Minimum Implementation Standards." (September 15, 2009). The contractor shall document the results of the process. This shall include documenting the tests and their results. The information shall be complete and detailed enough for USADF personnel to remediate all findings, and track these and any remaining findings in the POA&M. Proprietary Information All information and documents made available to the contractor during the course of this contract are deemed official use only as they provide information on system vulnerabilities, and shall be returned to the ADF upon completion on the contract. Summary of Deliverables The contractor shall submit all deliverables in paper copy and in electronic format in Microsoft Word on CD-ROM and are due at the timeframes outlined below. a) General Work Plan and Schedule (2 weeks after task award) b) Draft Reports (targeted to be not later than Oct 30, 2010) c) Final Reports (targeted to be not later than Nov 30, 2010) Payment Schedule a) General Work Plan and Schedule 10% b) Draft Reports 30% c) Final Reports 60% Timeframes 9/7/10 SOW Posted 9/15/10 Bidders Questions Due 9/21/10 ADF posted answers 9/27/10 Final Bids Due 10/1/10 Evaluations completed 10/8/10 Contract Awarded 10/13/10 Contract Work Begins Structured Proposal Format and Evaluation Criteria (Your proposal will be evaluated on six criteria below, per the weighting indicated.) Complete the following on a separate page - Contact Information: (Name, email, telephone, address) - Description of your business (not to exceed one page): 1. List Three Business References and contact information for the past three Certification and Accreditation (C and A) you successfully conducted for a federal, state, or county agency. Include name, contact information, and type of C and A performed. (20%) 2. Discuss your recent Risk Assessment experience and how it relates to this request (not to exceed one page). Please provide a sample. (20%) 3. Discuss your recent Security Testing and Evaluation experience and how it relates to this request. (not to exceed one page) (20%) 4. Discuss your recent Project Management and Client Management experience and how it relates to this request. (not to exceed one page) (20%) 5. Cost Proposal (10%): Please estimate the man hours required to accomplish this project: Part 1 - Plan and Schedule : Part 2 - Testing and Draft Report Part 3 - Final Report Total Hours: What is your hourly rate? Incidentals Costs: Total Proposed Fixed Price for this Project: 6. General Timeline and Estimated date of Completion (10%): Signature and Date:
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/ADF/ADFADF1/ADFADFL/ADF-10-Q-400/listing.html)
 
Place of Performance
Address: Washington, DC, Washington, District of Columbia, 20005, United States
Zip Code: 20005
 
Record
SN02271074-W 20100909/100908063420-73e527b29ca1ca1a11c8de4a057ca5e4 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.