Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JULY 08, 2018 FBO #6071
SOURCES SOUGHT

D -- Credential Data Personal Identification Information Collection

Notice Date
7/6/2018
 
Notice Type
Sources Sought
 
NAICS
541511 — Custom Computer Programming Services
 
Contracting Office
Department of Homeland Security, United States Secret Service, Procurement Division, 245 MURRAY LANE SW, BLDG T-5, WASHINGTON, District of Columbia, 20223, United States
 
ZIP Code
20223
 
Solicitation Number
70US0918R70090017
 
Archive Date
8/21/2018
 
Point of Contact
Danielle M. Donaldson, Phone: (202) 406-6812
 
E-Mail Address
danielle.donaldson@usss.dhs.gov
(danielle.donaldson@usss.dhs.gov)
 
Small Business Set-Aside
N/A
 
Description
1.0 General Information Document Type: Request for Information Document Number: 70US0918R70090017 Posted Date: July 06, 2018 Response Date: August 06, 2018 (30 days after posting) 2.0 Contracting Office Address Communications Center (PRO) ATTN: DANIELLE DONALDSON 245 Murray Lane, SW Bldg. T-5 Washington, DC. 20223 Responses to the RFI are to be submitted electronically. See Paragraph 9.0, below. 3.0 Purpose This is a Request for Information (RFI) only. This RFI is being conducted pursuant to the Federal Acquisition Regulation (FAR) Subpart 15.201(e). No contract will be awarded from this announcement and no reimbursement will be made for any costs associated with providing information submitted in response to this RFI; all costs associated with responding to this RFI will be solely at the responding party's expense. This RFI is issued solely for informational and planning purposes; it does not constitute a Request For Proposal (RFP) or any obligation on the part of the Government. Responses to this notice are not offers and cannot be accepted by the U.S Government to form a binding contract. The USSS is not at this time seeking proposals, nor will it accept unsolicited proposals. The Government will utilize the information provided only to develop the acquisition strategy for a possible future requirement. Failure to respond to this requirement does not preclude participation in the anticipated RFP (if issued). Please be advised that all submissions become Government property and will not be returned. It is the responsibility of the interested parties to monitor the Federal Business Opportunities (www.fbo.gov) site for additional information pertaining to this RFI. 4.0 Description The United States Secret Service (USSS) is seeking candidates/vendors to collect Personal Identifying Information (PII) of event applicants pursuant government data security requirements and create credentials with numerous security features to include RFID and/or biometrics for large major events (>30,000 credentials). The USSS is in the process of reviewing its current requirement, processes and capabilities as it relates to a wide range of credentialing. Vendors will be expected to travel domestically and rarely overseas for extended periods (customary average equals less than a 30 day period). A comprehensive background investigation of vendor personnel and production facilities would be required (if a RFP is issued). The USSS seeks a vendor who could provide development, data management, software, and access control device (credential and underlay) production facilitation and support as well as project management coordination. During "on-site" requirements of a major event, the vendor shall continue operations and perform at TBD designated event location(s) for an approximate 15 to 30 days for each event. At the direction of the USSS, the vendor would collaborate and correspond with government and non-government organizations to create credential applicant software and supportive documentation to facilitate data retrieval, applicant name check formatting, credential production, and ultimate distribution. In addition, upon approval from the USSS, the vendor may need to pre-supply access control tools (lanyards, protective credential and underlay pocket sleeves, etc.) and/or pre-produce access control devices (to include credentials and underlays) in support of all events. The clearance level for this RFI is unclassified, however all personnel, both prime and subcontractor, working under this requirement must be a U.S. citizen. If a RFP is issued, all vendor personnel involved, including on-site support must undergo a comprehensive security background check. 5.0 Background The USSS assumes the lead role in coordination of operational security plans for all designated National Special Security Events (NSSE). Among the areas of advance planning and coordination is event access control. The USSS Credentialing Section is responsible for design, procurement and production of temporary special event credentials. In support of these responsibilities, the USSS is researching potential vendors to facilitate and streamline the vetting of attendance data. Once the information is vetted, the Government would approve credential production for individuals attending specific events. The credential allows security officials to quickly determine identification of the person and access level of the individual. The vendor will accomplish all aspects of event management to include industry-standard data collection as well as facilitation of design, production and distribution of credentials for events of national significance. The vendor will incorporate industry-standard security technologies, such as radio frequency transmitters and biometrics and will supply associated equipment and fully encrypted connections as required by current government information technology security standards. The vendor shall configure non-commercial web application software for users to interact and create engagements or appointments that build databases and custom web forms while allowing for the sharing of documents. Software should be specific to each event to automate the collection, management, and communication of applicant/credential information while complying with government prerequisite privacy and data security requirements. The vendor shall provide continual access and technical support of the software and will provide an experienced technician capable of software update installation, system maintenance and software solutions. 6.0 RFI Objectives and General Requirements 6.1 Objectives This RFI is a request for interested parties to describe their capabilities and/or demonstrated experience with information on vendors who have solutions to efficiently create 1) high-quality, 2) multi- purpose, 3) secure credentials, which over time, should be 4) adaptable to allow for additional options and enhancements. Vendors are encouraged to identify unique solutions and ideas (including innovative processes) that will result in more efficient production and PII collection solutions. The security model for the vendor will be founded on OMB, National Institute of Standards and Technology (NIST), Federal Information Processing Standard (FIPS), the Privacy Act of 1974, Department of Homeland Security (DHS) Management Directive (MD) 4300A, The Sensitive Systems Handbook, which is used as the baseline for a number of Government-wide initiatives. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory Federal standard by NIST in response to the Federal Information Security Management Act of 2002 (FISMA) and the Federal Information Security Modernization Act of 2014 (FISMA). To comply with the Federal standard, the vendor will determine the security category of the vendor information system(s) in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems¸ and derive the information system impact level from the security category in accordance with FIPS 200. The vendor will then apply, at a minimum, the appropriately tailored set of baseline security controls in NIST Special Publication 800-53, which in combination help ensure that appropriate security requirements and security controls are applied to all Federal information systems. 6.2 General Requirements The vendor must have extensive major event management and access control performance, experience and client satisfaction during a recently designated NSSE or a major event equivalent to an NSSE (NSSEs are typically defined as events attended by large numbers of people (> 30,000), often including the President of the United States and other high ranking U.S. government officials and world leaders, the object of intense media attention and public scrutiny, and an event of national significance that represent the political, economic, military, or cultural strengths of the United States.); be able to provide pre-event and on-site project management with the majority of technical and administrative staff having prior successful NSSE or equivalent major event access control performance(s), the ability to implement all required access control personnel, services, equipment, and supplies for a major event within a limited time period (possibly twenty-four hours' notice) and effectively operate at temporary TBD "on-site" location(s) for an approximate 15 to 30 days. The USSS will conduct a comprehensive background investigation of all vendor personnel. The USSS has the right to request exclusion of any personnel from government projects and/or events for any reason. Employees with warrants, numerous felony arrests, or a felony conviction will be excluded. Due to required confidentiality laws and privacy issues, the vendor will not be provided an explanation if an employee is denied. The vendor's facility shall also be equipped with physical security measures to safeguard generated hardware, equipment and/or devices utilized by the Government for imminent events. Physical security involves the use of multiple layers of interdependent systems which include CCTV, security guards, protective barriers, locks, alarms, motion detectors, access control protocols, and many other techniques. Once access device production for the Government has begun, the facility should be equipped with a safe, vault and/or secure area to protect produced credentials, underlays and /or additional devices. If a RFP is awarded government representatives will periodically perform on-site survey(s) of vendor facilities for compliance. The vendor will be briefed on the results of the on-site facility survey and given two weeks to mitigate any identified security risks. In addition, the government will routinely require for government personnel to be on-site at the vendor's facility upon production of Government access devices to ensure access control accountability and help manage pre-event correspondence and planning efforts. 7.0 Acquisition Strategy A contract is not being solicited nor awarded from this announcement; however, in the event that the Government proceeds toward a solicitation/award, a firm fixed-price contract would be most likely. Responses may include potential firm fixed-price CLIN structures for use in a possible RFP. 8.0 Inquiries All questions regarding this RFI must be submitted, in writing via email to danielle.donaldson@usss.dhs.gov. Questions will be addressed within a reasonable amount of time, generally no more than 48 hours after receipt. All questions are due by July 31, 2018 @ 2:00pm (eastern). No questions will be accepted after that date. 9.0 Responses 9.1 Response Format ***ALL RESPONSES ARE TO BE UNCLASSIFIED. DO NOT PROVIDE CLASSIFIED INFORMATION IN A RESPONSE TO THIS RFI.*** Vendor responses should not exceed fifteen (15) pages and shall be submitted in a PDF file type. The format for the RFI responses are described below: The Cover Page shall contain (1) Company name, (2) Primary Point of Contact, (3) Phone Number and Email Address, (4) Cage Code, (5) NAICS Code, (6) Business Size, and (7) Federal Supply Schedule (FSS) Contract Number or DHS Strategic Sourcing Vehicle Contract Number, if applicable. 9.2 Response Content 1. Introduction: Provide a brief description of existing capability to perform the requirements or provide proposed Statement of Work (SOW) language for the services and/or any proposed solution. In the event your company chooses to provide information subject to inclusion in a future RFP SOW, clearly identify those portions and provide any appropriate authorizations for release of that portion of information within any subsequent RFP SOW issued by the USSS, exclusive of any proprietary markings. 2. Technical Capability: The respondent's technical ability shall describe the services and/or any product solution(s) or dataset for the areas described in Paragraph 6.0 of this RFI. To help the Government with its gathering of market research, the responses should include an overall description of the proposed services and/or any product solution(s) and provide technical data and a demonstrated ability for those areas identified. The descriptions should include lead time/schedule information for delivery of services and/or product(s). Interested parties should provide information on their ability to use existing assets if available, and they should discuss their ability to procure, customize/configure, maintain, and/or provide technical support for the resources needed to provide the proposed services and/or product(s). Interested parties should also describe potential technical benefits of their proposed services and/or product solution(s) in terms of existing technologies or resources within industry, and they should address potential improvements/enhancements/cost efficiencies of specific approaches. Interested parties should provide any other relevant supporting documentation demonstrating capabilities. Proprietary information and/or trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. 3. Credential Data Personal Identification Information Collection: In performing duties related to management, operation, and/or access of systems under a contract, the Contractor, its employees and subcontractors shall comply with applicable security requirements described in DHS Sensitive System Publication 4300A. Failure to comply with DHS Management Directive 4300A is a potential violation of this contract. The Contractor's systems will not be integrated in any way with the Government's IT systems. Nor will the Contractor access into any of the Government's IT systems. In addition, the Contractor shall provide the following: • Maintenance, accuracy, format, security and temporary storage of all received applicant and USSS data. • The Contractor will incorporate industry-standard security technologies, such as RF transmitters and will supply associated RF equipment and fully encrypted connections using 256 bit Secure Sockets Layer (SSL). • If required, direct contact with all responsible organizations/entities to obtain required data and facilitation of credential communication methods with each responsible organization/entity to facilitate data retrieval and access control production and distribution. • Daily data reports or as requested by the USSS. • Confirmation of USSS approval prior to production/ distribution of credentials. • Ability to store and format personal identifying information and allow for the secure sharing of such information with the Government. • Deactivation of all access control devices upon conclusion of event. The devices shall only be active during each specific event and shall not have the ability to be used at any other events, unless otherwise specified and approved by the PM. • Securely Collects and validates Personal Identification Information • Organizes resources by Active affiliations and skillsets • Contractor should have in place standards and audit controls • Contractor operations should provide USSS real time information Encryption of data in transit and at rest must meet Federal Information Processing Standards (FIPS) 140-20 requirements; includes any electronic transmission of both PII and any/all USSS information AND PII and USSS information stored on any media (ex: hard drives, removable/portable storage devices, etc.). Specific details on Contractor encryption methods/technologies will be required requested. Upon termination or expiration of Contractor work, data obtained under this contract shall be removed from all information technology assets utilized in the execution of this contract. Removal must be accomplished in accordance with DHS Sensitive System Publication 4300A. Certification of data removal will be performed by the Contractor's Project Manager and written notification and confirming certification will be delivered to the PM, contracting office and/or the USSS OCISO within 15 days of termination/expiration of contractor work. Data removal timeframe can be modified at the discretion of the USSS. The Contractor will retain system logs, network logs, and security appliance logs for a minimum of three years. These logs may not contain PII. Any confirmed or suspected security incidents (loss of control, compromise, unauthorized access, or any similar situation where persons other than authorized users, and for other than authorized purpose, have access or potential access to data, in usable form whether physical or electronic) involving PII or other USSS information must be reported immediately and no more than two hours after discovery by the Contractor via phone call to the USSS PM and USSS COTR. The Contractor is responsible for positively verifying that notification is received and acknowledged by at least one of the foregoing Government parties. The USSS will provide the Contractor written notification procedures. In the event of a suspected or confirmed data breach, the Contractor will allow USSS personnel and USSS contractors to participate in the incident response. The Contractor will provide USSS personnel any requested artifacts as required by the incident response. A data breach of any kind is a potential violation of this contract. In the event that a data breach occurs as a result of the violation of a term of this contract by the Contractor or its employees, the Contractor shall, as directed by the contracting officer and at no cost to the Government, take immediate action to correct or mitigate the violations which may include providing notification and/or other identity protection services to affected individuals for a period not to exceed 12 months from discovery of breach. Should the Government elect to provide and/or procure notification or identity protection services in response to a breach, the Contractor will be responsible for reimbursing the Government for those expenses. The Contractor shall limit access to the data covered by this clause to those employees and subcontractors who require the information in order to perform their official duties under this contract. The Contractor shall use only data obtained under this contract for purposes of the contract, and shall not collect or use such information for any other purpose without the prior written approval of the PM and contracting officer. The USSS reserves the right to review the security processes, procedures and controls of the Contractor and any subcontractors to ensure/validate that the above requirements are upheld. 9.3 Response Deadline and Submission Location Responses to this RFI must be received no later than August 6, 2018 at 3:00 PM Eastern and must be emailed to danielle.donaldson@usss.dhs.gov.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DHS/USSS/PDDC20229/70US0918R70090017/listing.html)
 
Place of Performance
Address: Washington, District of Columbia, 20223, United States
Zip Code: 20223
 
Record
SN04981710-W 20180708/180706230506-63fe7d5453c0d67ae1d5d5eda74368dc (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.