Loren Data's SAM Daily™

fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF APRIL 15, 2010 FBO #3064
MODIFICATION

70 -- RECOVERY: RFI for Anti Virus Software and DLP Software

Notice Date
4/13/2010
 
Notice Type
Modification/Amendment
 
NAICS
423430 — Computer and Computer Peripheral Equipment and Software Merchant Wholesalers
 
Contracting Office
U.S. Department of State, Office of Logistics Management, Acquisition Management, P.O. Box 9115, Rosslyn Station, Arlington, Virginia, 22219
 
ZIP Code
22219
 
Solicitation Number
1019033036_101903B000
 
Archive Date
4/29/2010
 
Point of Contact
Amanda N. Rogers, Phone: 7038755481
 
E-Mail Address
rogersan@state.gov
(rogersan@state.gov)
 
Small Business Set-Aside
N/A
 
Description
Request for Information (RFI) 1019033036/101903B000 Department of State (DoS) is performing market research to determine industry interest and capabilities for antivirus software and data loss prevention software. This is a Request for Information (RFI) announcement only. This is not a solicitation or request for proposal and in no way commits the Government to award a contract. DoS welcomes any and all constructive feedback/comments regarding this RFI. The Government does not intent to award a contract(s) based solely on the submissions of this RFI nor does it intend to pay for any costs incurred in response to this announcement. This RFI is solely intended for information and planning purposes and does not constitute a solicitation. Responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Respondents are solely responsible for expenses associated with this RFI. Respondents will not be notified of the result of the review. This RFI is separated into two technical requirements sections (page limitation applies to each section, i.e. 5 pages for AV and 5 pages for DLP if contractor is addressing both): (1) Anti-Virus Software and Maintenance and (2) Data Loss Prevention Software. The instructions below apply to both sections of the RFI. Please note respondents are not required to address both sections, a respondent may address one or both sections of this RFI. If a respondent addresses both sections please divide your responses in two seperate documents (PDF or Word) and label accordingly. Additionally, the Government reserves the right to determine if the Anti Virus Software and Data Loss Prevention Software will be combined or separate for a future award. General Instructions: 1.The Request for Information response shall include the following (for each individual technical requirement, i.e. DLP and AV): a.A capability statement that addresses all requirements identified in each individual technical requirements section and sub-section. In addition, the capability statement should discuss the product’s capabilities relative to potential requirements, the product’s requirements and any other pertinent information that would enhance the understanding of the software and maintenance. Limit your response to five (5) pages. b. Past performance information may include both government and commercial work that the offeror has performed. Include customer names and addresses, description of work performed/delivered, description of types/complexity of systems worked on, description of strategies to accomplish the work, description of communication strategies with the customer, and significant accounting and information technology issues resolved. Limit your response to two (2) pages. c. Feedback and/or comments in regards to this RFI. 2. Sale brochures, videos, and other marketing information materials are not solicited and will not be reviewed. 3. Do not submit cost or price information with the response. 4. Interested companies shall submit an electronic copy of their response via email to: Contract Specialist, Amanda Rogers: RogersAN@state.gov. The due date and time for submission of responses is (Wednesday, April 14, 2010, 9 am Eastern Standard Time). 5. No phone calls related to this Request for Information will be accepted. All correspondence shall be via email. 6. Any proprietary information contained in the response must be marked accordingly. 7. Offerors shall include their GSA Schedule Contract Number or GSA Government-Wide Acquisition Contract Family and Number. 1. Technical Requirement One: Anti-Virus Software and Maintenance For technical requirement one, the capability statement shall also demonstrate experience with program engineering, production control and delivery of modernized information technology systems. Background: The U.S. Department of State desires to acquire an all-in-one, multi-feature anti-virus solution that detects, eradicates, scans, and blocks malware, such as viruses, worms, Trojan horses, spyware, phishing, adware, and other malicious cyber threats at the computer desktop. The Department’s objective for an anti-virus solution is to identify the proposed effort to effectively and efficiently provide the DoS Systems Integrity Division (SI) with anti-virus support and maintenance via a centralized, multi-feature, all-in-one, anti-virus software package and network access control (NAC). The anti-virus software will be used globally to protect the desktop computers from malicious code viruses and enforce configurable policies and it also includes the following: • Improve the security posture of computer desktops and servers; • Strengthen the security posture of the Department’s network; • Maintain a standardized, centrally managed anti-virus solution on the unclassified and classified networks. 1.1 Enterprise Antivirus Solution Requirements: • Unlimited, live 24/7 human technical support; (vendor website or email address does not meet this requirement); • License, support and daily updates for existing AV products during transition. • Product Subject Matter Expert (SME) assistance from a senior (3 to 4 years experience) support engineer(s) (vendor specific); • Onsite product SME for deployment, training and problem solving; (not the same as the support engr. above); • All components (anti-virus, anti-spyware, protection from zero-day threats against unknown threats, host-based firewall, network access control, application control, device control, & intrusion prevention) must be an all-in-one solution managed by a centralized database; • Support installation, operation, patch, update and maintenance without access to the internet or special keys; Product must work on closed networks. • Vendor specific support engineer must be available to travel and provide customer onsite support as required. Local travel may be required; • Prevent malware from disabling or changing anti-virus (and other security tools) running on targeted system (s); • Network Access Control (NAC) tools to verify security configuration, current signature files, and patch level compliance before granting access to the network; • NAC must be capable of operating in transparent (learning) mode without enforcement; • Provide a website or email address for submission of sample undetected threats for analysis and inclusion in signature files (response within 8 hours); • Deploy anti-malware software and signatures both by auto update and manual update to all computers on a daily basis; • Automated system must verify that all clients have received current signature updates; • Software upgrades and patches as required; • Centralized Management Console; • Logs from all clients into a searchable central database by client, threat, time and Organizational Units (OU); • Macintosh and UNIX support required; • The ability to read/import and utilize Active Directory (AD) Organizational Units (OU) and allow the creation of non-Active Directory OU for clients not found in AD for client management; • Product does not alter, modify, or require write access to Active Directory; • Support multiple polices and configuration settings; Must be able to share between areas or applied individually; • 100% redundant management; Product must support replication of all data between multiple management servers. Client must automatically switch to a working manager if the primary fails; • Provide employee anti-virus software Home Use Program at no additional cost; • A Software Development Kit (SDK) available for flash drive vendors to leverage to provide on-board AV protection on the drives; • Prevention of the installation of unauthorized applications; • The restriction of the use of removable media/devices such as USB tokens, hard drives, CDs/DVDs, mounted network shares, external SATA devices, firewire devices, etc. to specially approved devices. Approval should be by device serial number or class and allow wild cards; • Remote diagnostics to speed up problem resolution; • International service coverage. 1.2 Management of Antivirus Software • A solution capable of centrally managing all of the following required components: Antivirus, Antispyware, Application and Device Control, Firewall, IPS engine, Self/Peer to Peer, Network Based Access Control (NAC) enforcement, NAC enforcement, behavioral heuristics, and lock-down. • Drag-and-drop multidimensional report and dashboard creation. • Automated incident prioritization. • Forensic analysis through free-form pivot tables. • The solution must have no single point of failure and be capable of providing continuity of operations in the event of a failure of the main production environment. • Location awareness must allow clients to automatically and transparently switch to COOP site in the event of failure and to change configurations between locations. • Failover of solution must encompass all integral components including database replication of policies, logs, and content. 1.3 Antivirus/Antispyware • Solution must support disabling scans while running on laptops operating on battery power; • Solution must provide kernel level rootkit detection and remediation. 1.4 Application and Device Control • Must support black listing and white listing device control by class/vendor ID. Also application control of behavior such as reading, writing, or launching of processes to/from white listed devices; • Ability to block/allow access to Registry Keys, files, folders, and process execution/DLL loading. 1.5 Host Based Firewall and IPS Engine • Firewall must support schedule based rules, multiple Ethernet protocols/frame types, Anti-MAC spoofing, and OS masquerading; • IPS must support vendor supplied signatures, user generated custom signatures, and have Zero Day Threat prevention capabilities. 1.6 Network Access Control Assessment: • Include standard checks of the operational status and currency of multivendor AV, Antispyware and Firewall components and include standard checks for Microsoft critical updates and service packs; • Granular custom checks including: –registry checks including; existence of a key, existence of a value, equality of value, success or failure of an operation to set a registry value, and success or failure to increment registry DWORD settings. –File checks, including; existence, size, date, and hash sum. –Existence or operational status of a process or service. –The ability to prompt users with dialogue screens such as confidentiality statements to pass compliance only after user confirmation. –Ability to perform multiple checks using Boolean logic. 1.7 Network Based Access Control Enforcement: • Be infrastructure vendor agnostic, not require uniform router and or switch restrictions, and include IOS versions of infrastructure components. • Allow for a variety of enforcement techniques including; DHCP, 802.1x, Gateway (in-line bridge), and integration with other network access control platforms such as Microsoft NAP. 1.8 Network Based Access Control Remediation: • Be able to leverage existing Patch Management solutions to automatically remediate endpoints without user intervention including; mandatory security patch updates, AV signature updates, driver updates, and application software updates; • Have options for each check including the ability to execute a script/process, create an event, or modify a registry entry; • Provide capabilities of endpoint health/worthiness remediation regardless of network connectivity; • Have the ability to perform continuous monitoring of compliance with the ability to automatically remediate, quarantine, lock-out, and provide access based on the status of policy. 1.9 Security Content Automation Protocol (SCAP): SCAP comprises a suite of specifications for organizing, enumerating, and expressing security-related information in standardized ways. The data can also be used to leverage problem solving related to malware. Additionally, the following features are desired, but not essential: 1) Authoritative White-Listing Software white-listing technology that allows systems to run only approved applications and prevents execution of all other software on the system. 2. Technical Requirement Two: Content Aware Data Loss Prevention (DLP) Background: This Data Loss Prevention (DLP) initiative is one component of an overall Department of State security and privacy strategy. DLP will support an in-depth of monitoring of user-generated information not currently performed by the Department. Currently, the Department’s Sensitive but Unclassified Network (OpenNet) uses a notification (“warning banner”) that provides necessary and sufficient notice to users of the monitoring of their activity against all IT resources and networks. Federal workplace privacy law uniformly permits unlimited monitoring of employee use of IT resources. It is unlikely that employees now expect actual word-by-word inspection of content of emails and files to detect the presence of sensitive data such as social security numbers (SSNs), credit card numbers, and other PII. DLP will (1) reduce the risk of exposure of information sent by unsecured e-mail outside of OpenNet; (2) monitor the writing of sensitive files to removable media located on the desktop; and (3) detect sensitive information on servers that may no longer serve a business purpose. The objective of this section of the RFI is to identify specifications for a DLP capability that will support the Department in meeting the Office of Management and Budget (OMB), National Institute of Standards and Technology (NIST) and Federal Information and Security Management Act (FISMA) requirements listed below. NIST Draft-SP800-122.pdf; http://csrc.nist.gov/publications/PubsSPs.html FISMA http://csrc.nist.gov/drivers/documents/FISMA-final.pdf OMB 06-16: Issued in June of 2006, this memorandum encouraged the completion of a checklist for the protection of remote information, and provided additional recommendations for protecting PII being stored or transported offsite and accessed remotely. OMB also recommended that all departments and agencies implement protections for remote access to PII by: • Encrypting all PII (if remote storage is permitted) or removing all PII (if it is not) • Tracking the download of database extracts to laptops and removable media that contain PII • The removal of this data 90 days after it is no longer needed. These recommendations became mandatory with the subsequent release of M-07-16. http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-16.pdf OMB M-06-19: Issued in July of 2006, updates a Federal Information and Security Management Act (FISMA) of 2002 requirement that agencies report security incidents to a Federal Incident Response Center (US CERT) located within the Department of Homeland Security. http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-19.pdf OMB M-07-16: Issued in May of 2007, makes mandatory the guidelines that were initially outlined in M-06-16 regarding the use of encryption and other security controls. The memorandum also introduces new privacy requirements, calling for agencies to review and reduce the volume of personally identifiable information, in particular the collection and use of social security numbers. In addition, this memorandum modifies certain aspects of the data loss reporting requirements outlined in M-06-19, and requires agencies to develop and implement a breach notification policy within 120 days. http://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf 2.2 Data Loss Prevention Software Requirements: Performance The Department of State has 70,000 global users. Performance / Scalability. List five Data Loss Prevention reference customers with more than 50,000 DLP users. Full DLP Scalability. Indicate at least two of the 50,000 user DLP references that are using Network, Endpoint, and Large Data Store Discovery DLP. (Sometimes referred to as Large Data Store Discovery; DLP is also referred to as Datacenter or Storage DLP.) Overall Viability DLP Market Share. As part of overall risk mitigation, the Department of State evaluates vendors partially based upon previous success, including market share. What is your DLP market share as designated by a major industry analyst (i.e. Gartner, Forrester, IDC, Burton Group)? Government Certifications FIPS 140-2. How does your DLP solution meet U.S. Federal Government FIPS 140-2 encryption requirements across all databases and system-to-system communication? OMB M-06-16/M-07-16. Database Extracts. The Department of State has 75 systems listed under the Privacy Act with sensitive information. How does your solution meet OMB M-06-16 and M-07-16 requirements for finding and protecting sensitive database extracts from all Privacy Act systems? Integrated Management The Department of State seeks a unified DLP system to minimize IT and operational system management and operational costs. The following questions apply to a full Network, Endpoint, and Large Data Store Discover DLP configuration. Policy Console. It is the Department of State’s requirement that all DLP privacy and security policy definitions across Network, Endpoint, and Large Data Store Discovery DLP are defined in one console. Reporting Console. It is the Department of State’s requirement that all DLP privacy and security reporting across Network, Endpoint, and Large Data Store Discovery DLP be managed from one console. Integration with Department of State Infrastructure Database. Most enterprise Department of State systems with a database use an Oracle database. How many databases are required or incorporated within your system for a customer using Network, Endpoint, and Large Data Store Discovery DLP? Are there any non-Oracle databases in your DLP solution? If there are any non-Oracle databases, how many and what type? Are all databases provided by DLP vendor? Is all database support provided by the DLP vendor support? iPost. The Department of State is using its own system—iPost--for integrated SCAP and IT system reporting. How can your DLP system provide reporting information to iPost? LDAP. The Department of State seeks to minimize IT integrations. Does your system require one or two LDAP integrations for full integration across, Network, Endpoint, and Large Data Store Discovery DLP? Web Proxies. The Department of State uses BlueCoat web proxies. Is your solution a BlueCoat certified solution for Network DLP message blocking? Remedy. The Department of State uses Remedy for IT help desk ticket management. Does your solution have out-of-the box integration with Remedy to generate IT tickets based upon any DLP policy violating incident? Integration with Department of State Operations Federated Model. The Department of State has multiple bureaus and offices, such as Consular Affairs, Administration, Resource Management, Diplomatic Security, etc. Explain how your DLP solution provides a federated role based security control with limits for incident access for a role by policy, by department bureau, by country or geography, by severity or remediation status, or by any user-defined custom attribute? For example, would/could only within Foreign Service Officers be provided access to see DLP incidents attributed to Foreign Service personnel? Privacy Control. As per Department of State privacy policy and experience, contractors and other individuals are not to be given access to other DoS employees’ privacy data. Explain how your DLP solutions provides privacy control with redaction of certain DLP incident data (such as sender email address, username, and sensitive incident content) from specific users such as contractors who may be first-level incident responders/analysts? Severity and Escalations. As per Department of State experience, some DLP incidents may be of higher severity than others due to content (such as classified data, VIP PII data) or amount of data in an incident (hundreds or thousands of records as opposed to a handful of records.) Severity Levels. Does your DLP system provide different incident severity levels? Automatic Escalation. Does your DLP system support automatic initiation of different notifications and remediation tasks based upon varying DLP incident severity level? Notifications. The Department of State is required to automatically notify US-CERT and DS-CIRT for certain Network, Endpoint, or Large Data Store Discovery DLP incidents as per OMB M-06-19. The questions below apply to Network, Endpoint, and Large Data Store Discovery DLP incidents, i.e. an employee writes policy violating data to a CD/DVD or emails policy violating data to one’s personal email account. US-CERT & State-CERT. Does your DLP system support simultaneous notification of US-CERT and DS-CIRT for a particular type of DLP incident? Simultaneous Notifications. Does your DLP system support simultaneous notification of US-CERT, DS-CIRT, the Department of State Privacy Office, the employee’s manager, and system owner for a particular type of DLP incident? DLP Product / Service Remediation. The Department of State plans to incorporate automatic remediation of DLP incidents. Network DLP Remediation. The Department of State requires Network DLP component to automatically remediate network policy violations via blocking, forwarding to third- party encryption gateways, etc. Large Data Discovery DLP Remediation. What automatic remediation actions (quarantine, encryption, etc.) does your solution provide for policy violating files found in Large Data Store Discover DLP? Does your Large Data Store Discovery DLP remediation solution support more one certified encryption vendor today? Endpoint DLP. The Department of State has over 60,000 endpoint laptops or desktops. The DLP requirements below are for its Endpoint DLP use. Content Aware. The Department of State requires that Endpoint DLP detection be based solely based upon real-time file content data analysis, and not based upon previous tags or human tagging definitions. Audit & Control. The Department of State requires the Endpoint DLP component to provide logging/audit as well as blocking capabilities for policy violating USB copies, CD/DVD copies, HTTP (such as webmail) transactions, IM, and FTP transactions. Pop-Up Notifications. To reduce calls to helpdesk and other operations, the Department of State requires the Endpoint DLP component to provide pop-up information notifications for policy violating actions when in logging/audit mode and pop-up notifications for blocking actions. Endpoint Agent. Does your DLP solution use more than one DLP agent for Endpoint Data Discovery, Audit, and Control? Endpoint Agent Deployment. Does your solution support the use of SMS/SCCM to install agents? Endpoint Platform Support. Does your Endpoint DLP solution natively support Windows XP, Vista, and Windows 7? Network DLP. Department of State has multiple networks, including classified and unclassified networks. Monitoring and Blocking. The Department of State requires a Network DLP component to monitors all emails including attachments, HTTP including uploaded files, FTP, and all TCP/IP traffic. Air Gap Security. Describe how your solution can support the need to prevent classified data from entering the Department of State’s unclassified network. Employee / User Notification. The Department of State requires a Network DLP component to automatically notify employees of policy violating actions. Large Data Discovery DLP. The Department of State has hundreds of terabytes of stored data and requires the DLP system to identify stored sensitive data as per the requirements below. Identify Dormant Data. The Department of State requires that Large Data Discovery DLP find sensitive stored data in forgotten files and systems on file servers. Does your Large Data Discovery DLP natively mount each file server to scan for sensitive data? Provide detail. Additionally, does your Large Data Store Discovery DLP modify any of the file access or file modified dates? File Information. The Department of State plans to prioritize findings from Large Data Discovery DLP based upon such items as file Access Control Lists (ACL). Does your solution display full Microsoft ACLs for policy violating files? Enterprise Management. So as not to impact Department of State network usage and operations, scheduling of Large Data Discovery scans is imperative. Does your solution have the ability to schedule (including automatic pausing of scans) so that all scanning is during non-production hours? Undocumented Systems. The Department of State is very concerned with undocumented systems with large amounts of sensitive data. Does your solution scan Oracle, Microsoft, and IBM db2 databases for sensitive data? 2.3 Additional Requirements for DLP: Provide the required hardware pieces needed for the Data Loss Prevention Software in the capabilities statement. The following Clauses apply to this RFI: 52.203-15 52.204-11 52.212-5
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/1019033036_101903B000/listing.html)
 
Record
SN02120571-W 20100415/100413235134-cbe964dacea820706a4c7399e2b1f004 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)

FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.