Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MARCH 19, 2011 FBO #3402
SOURCES SOUGHT

D -- Information Assurance IT Vulnerability Assessments.

Notice Date
3/17/2011
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Defense Information Systems Agency, Procurement Directorate, DITCO-Scott, 2300 East Dr., Building 3600, Scott AFB, Illinois, 62225-5406, United States
 
ZIP Code
62225-5406
 
Solicitation Number
E200406
 
Archive Date
4/8/2011
 
Point of Contact
David Slye, Phone: (301) 878-2603, Emyrose Calidan, Phone: (703) 699-3566
 
E-Mail Address
David.Slye@osd.mil, Emyrose.Calicdan@osd.mil
(David.Slye@osd.mil, Emyrose.Calicdan@osd.mil)
 
Small Business Set-Aside
N/A
 
Description
PURPOSE: The purpose of this Request for Information (RFI) is to establish the listing of vendors that can effectively satisfy the technical requirements of this requested contract service, have the knowledge, experience, training, expertise and certifications required to accomplish the tasks as stated below. THE GOVERNMENT DOES NOT INTEND TO AWARD A CONTRACT ON THE BASIS OF THIS RFI OR REIMBURSE ANY COSTS ASSOCIATED WITH THE PREPARATION OF RESPONSES TO THIS RFI. This RFI is issued solely for information and planning purposes and does not constitute a solicitation. All information received in response to this RFI marked Proprietary will be handled accordingly. Responses to the RFI will not be returned. Whatever information is provided in response to this RFI will be used to assess tradeoffs and alternatives available for determining how to proceed in the acquisition process for Information Assurance IT Vulnerability Assessments. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract. Target Audience: Only small businesses are requested to respond to this RFI to assist DISA in formulating an acquisition strategy that fairly considers small business ability to participate in the acquisition, either as prime contractors or as subcontractors. Sources Sought: This Sources Sought synopsis is requesting responses to the following criteria ONLY from small businesses that can provide the required services under the North American Industry Classification System (NAICS) Code 541519. In addition to Small Businesses, this synopsis is encouraging responses from qualified and capable Service Disabled-Veteran Owned Small Businesses, Veteran-Owned Small Businesses, Women-owned Small Businesses, HUBZone Small Businesses, Small Disadvantaged Small Businesses, Historically Black Colleges and Universities/Minority Institutions, Small Business Joint Ventures, Consortiums and Teaming Partners. This Sources Sought synopsis is issued to assist the agency in performing market research to determine whether or not there are qualified and capable small businesses to provide the aforementioned service. Small businesses must submit responses that demonstrate their qualifications to make a determination for a small business set-aside. Please note that personnel with current DoD Top Secret clearance will be required at contract award. Responses must demonstrate the company's ability to perform in accordance with the Limitations on Subcontracting clause (FAR 52.219-14). Interested small businesses meeting the small business standard of NAICS Code 541519 are requested to submit a response to David.Slye@osd.mil and Emyrose.Calicdan@osd.mil via email no later than (NLT) 24 March 2011; 2:00 PM Eastern Daylight Time (EDT). Late responses will not be considered. At this time, the government is not seeking responses from large business. The government knows that there are large businesses that can perform the work. BACKGROUND: The Office of the Secretary of Defense (OSD) is the principal staff element responsible for the exercise of policy development, planning, resource management, fiscal, and program evaluation responsibilities. The Secretary of Defense is the principal defense policy adviser to the President and is responsible for the formulation of general defense policy and policy related to all matters of direct concern to the DoD, and for the execution of approved policy. Under the direction of the President, the Secretary exercises authority, direction and control over the Department of Defense. The PWS tasks are required by FIPS Pub 199, DoD Directive 8500.1, DoD Instructions 8500.2, DoD Instruction 5200.40, CJCSI 6510.01, and OMB A-130. This contract team shall provide the independent IA vulnerability assessment requirement for all OSD components. The OSD CIO instituted a Security Assistance Visit team in 2003 for IV&V to conduct the IA assessments for throughout OSD and its component offices. OBJECTIVES/SCOPE: The OSD objective is to strengthen the Information Technology Security posture through the implementation of the tasks stated in the PWS, conducting annual assessments at each office within the OSD organizational structure. The annual assessments will be accomplished by the Inspection, Verification and Validation (IV&V) process established in OSD and modeled after that of DISA's Security Readiness Review (SRR) process. The assessments will be conducted by the OSD Security Assistance Visit team, (SAV team) which will be comprised of the individuals and tasks specified in this contract action. The SAVs will be accomplished annual and as necessary. The expected results to be gained through this action is a robust IT security posture that can be maintained from year to year, with fewer security incidents found to be result from an inadequate IT security. The objective of this effort is to acquire IA and security engineering expertise to support the annual assessments that will be accomplished by the Inspection, Verification and Validation (IV&V) process. To obtain qualified technical engineers that have previous experience with the DISA FSO SRR process and the use of the required security technical assessment tools and knowledge of their use, as well as, recording the results within the DoD Vulnerability Management System (VMS) database. This level of experience, knowledge and technical expertise is required to alleviate extensive training and a quick start on the contract services as specified in the stated tasks listed below. SCOPE: The contractor shall state their previous knowledge, experience and technical expertise in conducting the IT security vulnerability assessments, as stated in the specific tasks listed below. The vulnerability assessments will include network scans and script reviews on the UNIX, Linux Operating Systems, Windows Operating Systems, Oracle and MS Sql databases and other identified platforms in order to identify potential security vulnerabilities and assist OSD System Administrators (SAs) to correct weaknesses and vulnerabilities. The independent IT Security evaluations will be conducted for verification/validation of the OSD component IA Teams security practices, and to facilitate the technical certification and accreditation of the OSD IT domain. Contractor personnel assigned to this contract shall represent OSD CIO in technical areas mentioned above and provide security guidance and recommendations to preserve and enhance the OSD security posture. The contractor must state their familiarity with the roles and responsibilities of OSD functions and key Government personnel. Familiarization with this structure is necessary and required to perform coordination functions required to execute the tasks listed below. In addition, contractor personnel shall have professional communication skills for interface with senior level OSD officials. The contractor shall provide assessment reports, mitigation strategy technical advice, and assessment status tracking and reporting, for each security assessment visit. The assessment results will then be provided to the OSD CIO IA Division for incorporation into the DIACAP. Specific activities to be executed and supported by the contractor may include but are not limited to the following: Task 1 - Enclave Security Services. Subtask 1 - Network scans, using the DOD-approved tools to perform the assessment. Those approved tools include Retina network scanning tool, the DoD DISA Windows Operating System Gold Disk, and the associated scripts and checklists associated with the DISA Security Technical Implementation Guides, (STIG). The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0 (barring technical issues or site restrictions), surveillance will be accomplished through monitoring the VMS database and government lead oversight. Subtask 2 - Verify false positives, and export scan results to the VMS database. A working knowledge and experience with the VMS database is imperative and required for the IT Security Assessment services. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 3%, surveillance will be accomplished through government lead oversight. Subtask 3 - Perform system administrator desk-side assistance. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 4 - Create and deliver enclave briefings to System Administrators, Component ITMs, Network Manager, and the CIO on findings, actions taken, current status of security in the enclave, and follow-on actions required. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 5 - Perform resolution support to remediate identified vulnerabilities, as required. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Task 2. OSD Network Security Services. Subtask 1. Perform network review analysis with the use of the associated DoD DISA STIG and respective STIG Checklist. This also includes the security assessment on the network devices such as TCPIP routers, and level 1 and 2 network switches. The assessment also includes the review and analysis of IA devices in the network such as firewalls and intrusion detection systems. The IA device assessments will be in accordance with the associated STIG guidance and respective checklists. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 2. Improve the IT security posture by assisting with drafting and presenting security strategies to OSD. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 3. Assist with DOD Information Assurance Vulnerability Alert, (IAVA) implementation. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Task 3. STIG Technical Evaluation. Subtask 1. Evaluate Windows Operating System IA vulnerabilities, using DISA guidance and tools. The standard for this requirement is established by DISA SRR procedures, DISA STIG guidance, DISA Tools (Gold Disk procedures) and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 2. Evaluate UNIX Operating System IA vulnerabilities, using DISA guidance and tools. The standard for this requirement is established by DISA SRR procedures, DISA STIG guidance, DISA Tools (UNIX Script procedures) and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 3. Evaluate Oracle and Microsoft SQL Database IA vulnerabilities, using DISA guidance and tools. The standard for this requirement is established by DISA SRR procedures, DISA STIG guidance, DISA Tools (DISA Script procedures) and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Subtask 4. Evaluate Microsoft web server IA vulnerabilities, using DISA guidance and tools. The standard for this requirement is established by DISA SRR procedures, DISA STIG guidance, DISA Tools (Gold Disk/Script procedures) and OSD CIO SOP, the maximum allowable degree of deviation is 0, surveillance will be accomplished through government lead oversight. Task 4. Analysis Services. Analyze security related network architecture designs and provide guidance and recommendations to OSD. Analyze commercial products and their compliance to the Security Technical Implementation Guides (STIG) security controls. The standard for this requirement is established by DISA SRR procedures and OSD CIO SOP, the maximum allowable degree of deviation is 5%, surveillance will be accomplished through government lead oversight. Task 5. Resolution and Implementation Support. Provide onsite and telephonic support to OSD, to assist with the implementation and management of a proactive security program to include implementing STIG requirements and patches, waiver/extension/POA&M processing, and overall tracking of the security posture in the Vulnerability Management System (VMS) data base. Provide support in the development of (desktop) images to insure the security requirements are incorporated. Provide IA technical analysis and remediation support for the IA vulnerabilities identified in the IA vulnerability assessments conducted by this team. The standard for this requirement is established by DISA SRR procedures, STIG guidance/procedures, VMS guidance/procedures and OSD CIO SOP. The maximum allowable degree of deviation is 3%, surveillance will be accomplished through government lead oversight. CERTIFICATION: Contract personnel are required to be IA certified, per DoD 8570.1, obtaining CISSP level certifications. The personnel will be required to certified at IAT Level III, in accordance with DoD 8570.1-M. SECURITY CLEARANCE: Contractor personnel must be US Citizens and have an active DoD SECRET, TOP SECRET, or TOP SECRET/SCI clearance. RESPONSES: Responses to this RFI are to be submitted to David.Slye@osd.mil and Emyrose.Calicdan@osd.mil via email no later than (NLT) 24 March 2011; 2:00 PM Eastern Daylight Time (EDT). Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personal reviewing RFI responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified. POINTS OF CONTACT: David Slye, OSD CIO, (301) 878-2603, email: David.Slye@osd.mil Emyrose Calidan, (703) 699-3566, email: Emyrose.Calicdan@osd.mil
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DISA/D4AD/DITCO/E200406/listing.html)
 
Place of Performance
Address: National Capitol Region, Washington D.C., and Northern Virginia regional area. There will be occasion to travel to other locations within the continental United States, United States
 
Record
SN02403728-W 20110319/110317235005-1edadbd71fc6f9a8e2f9f871c2cc60e9 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.