SOLICITATION NOTICE
D -- Security Compliance Posture Monitoring and Reporting
- Notice Date
- 1/13/2009
- Notice Type
- Presolicitation
- NAICS
- 511210
— Software Publishers
- Contracting Office
- Department of the Treasury, Internal Revenue Service (IRS), National Office Procurement (OS:A:P), 6009 Oxon Hill Road, Suite 500, Oxon Hill, Maryland, 20745
- ZIP Code
- 20745
- Solicitation Number
- TIRNO-09-R-00017
- Point of Contact
- Tonya H Yeldell,, Phone: (202)283-1168
- E-Mail Address
-
tonya.h.yeldell@irs.gov
- Small Business Set-Aside
- N/A
- Description
- Security Compliance Posture Monitoring and Reporting (SCPMaR) The Department of Treasury, Internal Revenue Service (IRS) requires an integrated security compliance posture monitoring and reporting solution that will provide the IRS with the ability to monitor, measure, and manage the Federal Information Security Management Act (FISMA) compliance of its implemented technical security controls, enterprise-wide. Towards this end, the IRS is conducting a full and open competition and will be soliciting requests for proposals (RFP) from eligible vendors who can provide an integrated comprehensive solution that meets the following minimum requirements. Security posture is defined as: Level of assurance that adequate technical security controls have been implemented to meet the information protection needs, as defined by Federal Information Processing Standard (FIPS) 200, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. Security posture metrics are defined as: Degree of assurance that the technical security controls and security configurations defined by IRS and NIST have been implemented. Level of assurance that security patches specified by the IRS Computer Security Incident Response Center (CSIRC) and the United States Computer Emergency Readiness Team (US-CERT) have been implemented. Identification of IRS CSIRC/US-CERT-announced security vulnerabilities have been enumerated (e.g., SANS Top 20 and CVE) utilizing the Common Vulnerability Scoring System (CVSS). Term and Condition – Solution Qualification Criteria The “solution” – Security Compliance Posture Monitoring & Reporting (SCPMaR) System, must provide the following functional, operational, import/integration and reporting capabilities: Functional capabilities: 1.The solution shall monitor and measure the effectiveness of IRS’s implementation of mandated security controls (i.e. security configuration benchmarks) on computing assets, enterprise-wide, and in a timely manner. 2.The solution shall manage security configurations throughout the system life cycle by assessing and reporting the level of compliance with IRS and US Government standard technical security controls. 3.The solution shall use NIST-defined Security Content Automation Protocol (SCAP). Operational capabilities: 4.The solution shall automate the security compliance assessment and reporting processes to reduce the level of effort in coordination and execution, across the enterprise. 5.The solution shall facilitate the risk management process by verifying that computing assets operate within the established security configuration baselines and identify risks at the appropriate level of abstraction. 6.The solution shall support IRS change control processes by assisting the authorized organizations to define and maintain baseline security configurations with risk commensurate deviations throughout the system life cycle. Import/Integration capabilities: 7.The solution must integrate with IRS's existing IT computing infrastructure which operates in a geographically diverse environment and consists of approximately: 120,000+ Windows XP desktop workstations and laptops 1,000+ Windows-based servers running Windows 2000 Server 3,000+ Windows-based servers running Windows 2003 (x-32 and x-64 bit platforms) 1,000+ Unix-based servers running Solaris 8, 9, and 10 300+ UNIX-based servers running Red Hat Enterprise Linux 4 and 5 100+ UNIX-based servers running HP-UX 11 and IBM AIX 5.2 Most of the servers are located in 3 geographically diverse enterprise computing centers (ECC) and 10 campuses. The desktop workstations and laptops are located in across 600 post-of-duty stations (PODs) throughout the U.S. and overseas. 8.For interoperability to existing IRS IT investments, the solution must be able to import or integrate data from existing IRS platforms, systems and tools including but not limited to: Import a list of identified vulnerabilities generated from ISS Internet Scanner (Version 7.x or most current release) and Nessus (Version 3.x or most current release). Import a list of required security patches specified by IRS or US-CERT. Integrate with IRS Directory Service (DS) (i.e., Microsoft Active Directory Service) and IRS Employee User Portal (EUP) (i.e., SiteMinder) for user authentication. Integrate with NetIQ Group Policy Administrator. Integrate with Altiris Patch Manager and Sun N1 Patch Manager. Reporting Capabilities: 9.The solution must provide FISMA compliance reports in accordance with OMB M-07-19 and Federal Desktop Core Configuration (FDCC) compliance report as defined in OMB-M-07-11 using NIST-defined FDCC reporting format. A formal Request for Proposal will be posted within the next few weeks. Vendors will be invited at that time to prepare and submit proposals. Telephone and electronic inquiries will not be accepted in response to this pre-solicitation notice.
- Web Link
-
FedBizOpps Complete View
(https://www.fbo.gov/?s=opportunity&mode=form&id=39533942677d47eb919f0c73aa7a149e&tab=core&_cview=1)
- Place of Performance
- Address: Internal Revenue Service, 6009 Oxon Hill Road, Oxon Hill, Maryland, 20745, United States
- Zip Code: 20745
- Zip Code: 20745
- Record
- SN01732004-W 20090115/090113220450-39533942677d47eb919f0c73aa7a149e (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |