Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MARCH 22, 2007 FBO #1942
MODIFICATION

D -- Security Monitoring Services

Notice Date
3/20/2007
 
Notice Type
Modification
 
NAICS
541690 — Other Scientific and Technical Consulting Services
 
Contracting Office
Department of Education, Contracts & Acquisitions Management, Contracts (All ED Components), 550 12th Street, SW, 7th Floor, Washington, DC, 20202, UNITED STATES
 
ZIP Code
00000
 
Solicitation Number
Reference-Number-eia070007
 
Response Due
3/27/2007
 
Archive Date
4/11/2007
 
Small Business Set-Aside
Total Small Business
 
Description
The purpose of this amendment is to provide clarification for each of the Core Competencies provided in Section C of the original Sources Sought Notice posted on March 13, 2007. The information included in Sections A and B remain unchanged. I. Security Policies, Procedures, and Federal Regulations The contractor possesses a comprehensive set of documented, current policies that are periodically reviewed, updated, and enforced which are available for client review. II. Contingency Planning; Operational and Disaster Recovery The contractor's ability to provide business continuity and disaster recovery (BC/DR) plans for critical assets that have been tested and found effective. III. Physical Security The contractor's ability to control, monitor and review physical access to information assets and IT services and resources based on their importance. IV. Data Handling The contractor's ability to handle client data in accordance with the data's classification (e.g., confidential, sensitive, public) and complies with client data handling requirements (policies, procedures, regulations). Media is visibly marked to identify the data's classification. The contractor's ability to restrict access to highly confidential client data, so that it is protected and controlled. Contractor's can ensure that staff members requiring access to such data are properly identified and trained in the access requirements for this data. V. Authentication and Authorization The contractor's ability to implement the appropriate levels of user authentication and control of user access. VI. Access Control The contractor's ability to affirm that only duly authorized staff members who use and support requested service systems have access to the operating system, applications, and databases to be used in providing the requested services. VII. Software Integrity The contractor's ability to verify the integrity of installed software by: a. regularly checking for all viruses, worms, Trojan horses, and other malicious software and escalating them b. validating that up-to-date virus signatures and other relevant signatures such as those for intrusion detection systems c. regularly comparing all file and directory cryptographic checksums with a trusted baseline d. regularly verifying that client data stored on provider equipment is appropriately segregated from the data of other clients VIII. Secure Asset Configuration The contractor possesses documented procedures and processes to ensure the secure configuration of all client information assets throughout their life cycle (installation, operation, maintenance, retirement). IX. Monitoring and Auditing The contractor shall describe actions the provider takes to monitor and audit its client systems and networks. X. Incident Management The contractor's ability to evaluate and define the types of Incident reporting and triage. Primarily related to the process of the provider reviewing reports of suspicious system and network behavior and events (an incident). The contractor's ability to evaluate and define escalation policies and procedures. The contractor's ability to provide security event management services. The contractor's ability to provide the for correlation and aggregation of various log and data points. XI. Intrusion detection: The contractor's ability to alert handling. Specially concerned with what actions and countermeasures are taken when alerts are generated. The contractor's ability to provide an appropriate incident response process. The contractor's ability to provide procedures for tuning intrusion detection devices and ensuring that false positives are addressed. XII. Vulnerability Management: Ability to conduct vulnerability management and remediation and related activities such as identification and mitigation efforts, database and application scanning and remediation, and external penetration testing. XIII. Service Level Agreement The contractor's ability to allow for client-specific requirements for performance and remediation (restoration of service, customer service, response time) The contractor's ability to define client and provider responsibilities for monitoring and verifying SLA metrics. The contractor's ability to define the process by which clients may tailor or amend your SLA. XIV. Reporting Requirements Relevant areas under this element are: types of reports (i.e. trend analysis, performance planning, capacity planning), provisions for real-time access to network and system security status, timely security event and service outage reporting, and report confidentiality protection. XV. Security Engineering Requirements The contractor's ability to provide security architecture analysis. The contractor's ability to review all security related System Change Requests (SCR) for the week and raise them for discussion if need be. The contractor's ability to review all new weekly security patches relevant to the IT environment and classify the need and speed in which the security patches should be installed as defined by security policies. The contractor's ability to support projects from a security architecture perspective for all new projects thru the lifecycle. The contractor's ability to maintain all secure configuration documentation activity in accordance with industry best practices and ED policy and procedure. The contractor's ability to evaluate all the IPv6 security components in accordance with industry best practices and ED policy and procedure. XVI. Audit Support The ability to provide as needed data for various audits to include IG, Financial, C&A, and Federal audits. DISCLAIMER This Sources Sought Notice (SSN) is being issued for information and planning purposes only and does not constitute a solicitation. The Government does not intend to award a contract on the basis of this SSN or to otherwise pay for information received in response to this SSN. All information received in response to this SSN that is marked "Proprietary" will be handled accordingly. Responses to the SSN will not be returned. Information provided in response to this SSN will be used to assess alternatives available for determining how to proceed in the acquisition process. In accordance with Federal Acquisition Regulation (FAR) 15.201(e), responses to this SSN are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this SSN. Vendors should be aware that, due to the nature of this requirement, there is a potential for conflict of interests with an offeror's current or future business arrangements. An example of such a conflict of interest would include the delivery of services that support this requirement and the provision of any operation of those services.
 
Place of Performance
Address: The principle place of performance shall be at a contractor-owned and operated site.
Zip Code: 20202
Country: UNITED STATES
 
Record
SN01254798-W 20070322/070320220309 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.