Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JUNE 12, 2016 FBO #5315
SOURCES SOUGHT

70 -- Automated Assessment And Authorization And Continuous Monitoring Solution

Notice Date
6/10/2016
 
Notice Type
Sources Sought
 
NAICS
511210 — Software Publishers
 
Contracting Office
Department of State, Office of Acquisitions, Acquisition Management, 1735 N. Lynn St., Arlington, Virginia, 22209, United States
 
ZIP Code
22209
 
Solicitation Number
SAQMMA16I0053
 
Archive Date
6/30/2016
 
Point of Contact
Glenn Thuman,
 
E-Mail Address
ThumanWG@state.gov
(ThumanWG@state.gov)
 
Small Business Set-Aside
N/A
 
Description
Sources Sought - Automated Assessment And Authorization And Continuous Monitoring Solution The Department of State (DoS/Office of Acquisition Management (OAM) will be acquiring an automated assessment and authorization and continuous monitoring solution that is utilized as a repository for the DOS Risk Management Framework artifacts. DoS is seeking sources that can provide products that are equal to or better than Telos Corporation' s Xacta Assessment Engine with Smart View, Xacta Continuum, and Xacta Compliance Campaign Manager. These software services are critical to improving the protection of DoS's information technology systems. Responses to this announcement are needed to help inform acquisition planning and to identify capable sources. To be competitive for contract award, it is anticipated that vendors will have to be capable in providing the following: A perpetual software license for a browser-based software package for a risk management solution, security compliance management, risk assessments, and internal cybersecurity audits that will cover unlimited projects/systems and correlate results from multiple security products across an organization into a single view, and maps them to the relevant controls for security and risk management, such as NIST 800-53, CNSS 1253, DODi 8570.2, ISO and others. The software shall allow for static and continuous collection of IT asset and security configuration information based on programmable schedules. Included with the software will be a host information agent plus unlimited vendor agnostic plug-ins availability. Specifications for this product are as follows: •· COTS products with inherent capabilities out of the box with no custom configuration required. •· Automated means to migrate legacy data from existing applications to the automated tool of choice. •· Streamline the Risk Management Framework (RMF), risk assessment, and reporting processes. •· Capable of interfacing and exchanging data with dependent systems through APIs or corporate data warehousing. •· Templates development and customizable based upon organization-specific workflows, with options for generic regulation templates included out of the box to include, but not limited to: adding or deleting custom steps, roles, approvals, notifications, and read/write access. •· Capture pertinent data about a system and utilize automated document generation to aggregate user input across multiple functional areas and incorporate standardized document design. Custom formats for the System Security Plan (SSP), Security Assessment Report (SAR), ATO Letter, Security Controls Traceability Matrix (SCTM), and other documents shall be supported as required. In addition, while front-end users complete other assessment steps, document generation shall be supported as a background process. •· Automate categorization by use of security data types as defined by the NIST 800-60 or additional customized regulatory policies. Applicable controls shall be auto-selected based on this categorization. •· Capable of multiple inheritance for common control providers to satisfy single or multiple controls. The tool shall maintain a persistent awareness of the relationship between systems that have been selected to inherit controls and notify all parties when a control needs to be updated or has failed an assessment. •· Leverage security control overlays as defined to enhance the supplemental guidance and parameter values provided for the security control baseline. As control selection cascades down through subsequent RMF tasks, the tool must have an accurate applicable control set. The tool shall be able to automatically de-conflict conflicting overlays and controls applicability. •· Transition seamlessly to the most up-to-date industry regulations. With a push of a button, regulatory content shall be updated based on a organizational mapping to translate requirements to new policies, correlating the corresponding controls, test plans, and results between the standards accordingly. •· Collect and correlate results from multiple security sources and map them to the relevant controls in support of risk management and continuous monitoring. The tool should have adaptive mapping technology to learn mappings over time. •· Provide facilities for continuously monitoring of controls to include periodic control evaluation and the concept of assessment cycles. Additionally the tool shall be able to schedule assessment cycles, notify users of upcoming due dates, and produce metrics analyzing historical trending of assessment results over many cycles. •· Provide the capability to propagate the assessment of vulnerabilities based on CCE/CWE/CVE relationships as well as cascade the analysis of one asset to all related assets across the enterprise. •· 100% SCAP compliant, including industry-standard XCCDF-script compatibility. Additionally, ingest functionality for NIST Open Checklist Interaction Language (OCIL) content shall be included. •· Integrate with any third party scanners, agents, or assessment tools - including any available in the future - with little to no required adjustments for rapid ingestion of vulnerability and asset information in SCAP compliant format. Modifications to the IT host environment shall be readily detectable, and accordingly, the tool shall leverage scheduled and ad hoc compliance tests to address these changes. •· Provide role based and custom workflow training. Computer based training and classroom training are required. •· Incorporate an executive status page with a configurable dashboard that provides senior-level users with both simplistic navigation and robust information, enabling quick and accurate review of assessments and actions on authorization decisions. •· Annual Maintenance for the above product and unlimited users to include expert consulting support, unlimited help desk support, access to bug fixes, service packs, agency level, content updates, and version functionality upgrades. PURPOSE This sources sought notice is seeking responses from GSA Schedule contractors that can provide the required services under GSA Schedule 70, General Purpose Commercial Information Technology Equipment, Software, And Services, or other appropriate GSA Schedule. This synopsis is encouraging response from all qualified and capable GSA Schedule contractors. Responses from vendors that do not have a GSA Schedule contract are not desired and will not be considered. The data obtained from this notice will assist the Government in understanding the capabilities available in the IT services marketplace and aid in the development of a solicitation for the required software suite. TERMS OF THIS SOURCES SOUGHT: •1. The Government does not intend to award a contract on the basis of this sources sought notice or reimburse any costs associated with the preparation of responses. •2. This sources sought notice is issued solely for information and planning purposes and does not constitute a solicitation. •3. All information received in response to this notice marked "Proprietary" will be handled accordingly. •4. In accordance with FAR 15.201(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. •5. Responses to this sources sought notice will assist DoS in determining the potential level of interest, competition adequacy, and technical capabilities of industry respondents (specifically small businesses) to provide the required products and services. •6. DoS may also use this information to assist in developing any subsequent subcontract plans and small business goal percentages. •7. The Government does not guarantee any action beyond this notice. •8. Please be advised that all submissions become Government property and will not be returned. Scope of anticipated effort The objectives for this effort is to procure, implement, operate and maintain, train and document the software suite described above. Additionally, the contractor shall be capable of providing additional services to implement, operate and maintain the software suite, in order to realize the full functionality and benefits of the products, as described in the contractor's GSA Schedule contract and in its promotional materials, product literature and website. Finally, the contractor will implement necessary upgrades to the software suite in accordance with NIST, CNSS, and DOS guidance. All stakeholders who process assessment and authorization documentation and support continuous monitoring efforts within DOS will utilize this enterprise solution. The contractor shall provide Subject Matter Expertise (SME) support to the Information Assurance Directorate of the Information Resource Management Bureau, located at the DOS in the following areas; use of the software suite, processes, workflows, training, reporting, and documentation. REQUIREMENTS This market research effort will aim to provide the information detailed below. The information will be instrumental in providing the background needed to construct a solid requirement and form a successful acquisition strategy: Section 1 - Cover Letter. The cover letter shall include the following: •1. Company information - Include company name, 2 points of contact and contact information (name, address, phone number, website URL, if available, email address, and fax number), Cage Code, DUNS Number, and GSA Schedule contract number. •2. Current Security Clearance level(s) held, if any, and Labor Category - Clearance Matrix. Section 2 - Product/Service Description. •1. A description of offered products that meet the requirements of the previously detailed software suite, include any product/ marketing literature, and company webpage links to the offered products. •2. Labor categories available to be used in supporting implementation, operation, maintenance, training and documentation. •3. Describe your firm's experience in delivering the required software suite. DISCLAIMER This Sources sought notice is not a solicitation. This notice is issued solely for information and planning purposes and does not constitute a solicitation. All information received in response to this notice that is marked "proprietary" will be handled accordingly. Responses to the Sources sought notice will not be returned. In accordance with FAR 15.201 (e), responses to this notice are not offerors and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this notice. ATTENTION: Contractor must be registered with the System for Award Management (SAM) to be eligible for contract award or payment. Information on registration and annual confirmation requirements may be obtained via http://www.sam.gov RESPONSE SUBMISSION INSTRUCTIONS The responses submitted shall be in sufficient detail and clarity to provide DOS with the information it needs. Responses to this sources sought notice shall meet the following standards: •· Responses limited to 2 pages for Section 1, Cover Letter; 5 pages for Section 2, Product/Service Description. •· Text no smaller than 10 point. •· Text included in graphics, tables, and figures can be no smaller than 9 point. •· Limit any foldout pages to two per section. •· The cover page, cover letter, and table of contents are not included in the total page count. •· Fully address sections 1-2 as outlined above. •· Electronic version of your response only in Microsoft Word 2010 compatible files to Wm. Glenn Thuman (DoS/AWM Support Contractor) at thumanwg@state.gov, no later than June 15, 2016 at 5:00 PM ET. QUESTIONS SUBMISSION INSTRUCTIONS Questions must be submitted by June 13, 2016 at 5:00 PM ET to the email address above.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/SAQMMA16I0053/listing.html)
 
Record
SN04145743-W 20160612/160610234050-32dcbe54e697e266eb8fe19bfe7b181b (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.