Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MAY 12, 2011 FBO #3456
SPECIAL NOTICE

D -- Request for Information (RFI) - Enterprise Risk Management FISMA Decision Support and Reporting

Notice Date
5/10/2011
 
Notice Type
Special Notice
 
NAICS
511210 — Software Publishers
 
Contracting Office
Department of Homeland Security, Immigration & Customs Enforcement, ICE-OAQ-TC, 801 I STREET, NW, Suite 910, Washington, District of Columbia, 20536, United States
 
ZIP Code
20536
 
Solicitation Number
RFI_HSICE_130_0001
 
Archive Date
6/1/2011
 
Point of Contact
Bryan O'Shaughnessy, Phone: 2027322547
 
E-Mail Address
Bryan.O'Shaughnessy@dhs.gov
(Bryan.O'Shaughnessy@dhs.gov)
 
Small Business Set-Aside
N/A
 
Description
ENTERPRISE RISK MANAGEMENT FISMA DECISION SUPPORT AND REPORTING Release Date: May 10, 2011 Response Date: May 17, 2011 THIS IS NOT A SOLICITATION OR REQUEST FOR PROPOSALS. NO PROPOSALS ARE SOUGHT. Any responses to this Request for Information (RFI) should be submitted by May 17, 2011. I. INTRODUCTION The following is a Request for Information (RFI). This inquiry is for information and planning purposes and does NOT constitute a Request for Proposal (RFP). II. BACKGROUND The Department of Homeland Security (DHS) U.S. Immigration and Customs Enforcement (ICE) Office of the Chief Information Officer (OCIO) has developed a number of critical IT initiatives that will help ICE modernize its IT systems, adapt and conform to modern IT management disciplines, and provide IT solutions throughout ICE. For additional information on ICE's mission see: http://www.ice.gov/about/index.htm U.S. Immigration and Customs Enforcement (ICE) is considering procurement of commercial off-the-shelf (COTS) software for the continuous near real time monitoring of and reporting on information technology (IT) security risk assessment. This software needs to be effective, efficient and compliant to support Federal Information Security Management Act (FISMA) requirements. The purpose of this notice is to obtain information on available products and associated services, including current commercial pricing practices, conventions, and warranties for IT continuous risk assessment monitoring and reporting in a large enterprise. III. AREAS IN WHICH INFORMATION IS SOUGHT Information and comments are solicited regarding the following Discussion Areas: Discussion Area 1: Industry Practices 1.1 Does your solution fall into a specific type of industry category (i.e., eGRC, SIEM, End-point Security, etc)? Provide the primary and all applicable categories. 1.2 Is your solution an existing commercially available product, currently in development, or requiring significant modification or development of an existing solution or solution set? 1.3 Do you have contracts with other Government Agencies? 1.4 Are there pre-existing enterprise contracts within DHS? 1.5 If you have Federal Government Points of Contact that have successfully implemented this solution, we would appreciate it if you would share their contact information with us. 1.6 What is the largest deployment of the product of which you are aware? 1.7 What type of contract does your company use with this type of solution? (i.e. Firm-Fixed Price, Cost Plus Fee, Time & Material) 1.8 What are the key elements of this type of solution deployment and the deliverable(s) that are critical to successful outcomes and results (i.e., are add-on modules required)? 1.9 How does your company provide technical support for your solution? Is this support covered under a maintenance contract? 1.10 Do you have updates for the solution freely available upon release, or is a maintenance agreement required? 1.11 Are there in-house consulting or professional services staff that can be contracted to provide onsite implementation, integration, or troubleshooting assistance? Are such services available via an approved third party vendor? If so, can you provide examples? 1.12 Is the solution Section 508 compliant? [Reference: Section 508 of the Rehabilitation Act (29 U.S.C. '794 d), as amended by the Workforce Investment Act of 1998 (P.L. 105 - 220), August 7, 1998] 1.13 In complete implementation and operation, will the solution support security control requirements at a minimum Federal Information Processing Standards (FIPS) Publication 199 "MODERATE" impact level? 1.14 Is the solution scalable? If so, how does the solution scale as ICE needs grow (e.g., application solution modules, devices, licenses, etc)? 1.15 Does the product support National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP) to accept and translate SCAP enumerations/metrics (e.g., CVE, CVSS, CCE, CPE)? Discussion Area 2: Measuring Performance 2.1 What performance requirements, e.g., tasks and deliverables, are susceptible to measurement? 2.2 What standards can or should be used to measure unsatisfactory, satisfactory, and outstanding achievement of the performance requirements identified? What are the best sources of performance standards? 2.3 Should standards be expressed in terms of technical performance (quality), timeliness (schedule), cost control, or some combination of these parameters? 2.4 What surveillance and measurement techniques can or should be used to determine whether the standards are not achieved, achieved, or exceeded? Discussion Area 3: General Technical Characteristics 3.1 What is the maintenance and licensing structure? 3.2 What other products is this solution compatible with out of the box? 3.3 Does the solution support customization to integrate systems not supported natively? 3.4 What operating system(s) can host the solution? 3.5 What network ports/protocols does your solution utilize? 3.6 Is the product supported in a virtual environment? 3.7 Are there features and/or formulas ICE may use to estimate the operational system requirements for availability, storage, redundancy, and backup? 3.8 What type of user interfaces are provided to manage and operate the product (role based, hierarchy, client application, web application, etc.)? 3.9 Does the product allow for third party program integration? 3.10 What type of ticket system and/or integration capabilities does your product have? 3.11 Does the solution include reporting functionality? If so, what type? 3.12 Does the solution support workflows? 3.13 What type of database does the solution utilize (SQL, Oracle, Proprietary, Flat File, etc)? 3.14 Does the solution allow native, direct query access to the database? 3.15 Does the solution provide for "cloud" services? If solution, or option in solution, is "cloud"-based, please explain specifics. Discussion Area 4: Specific Technical Characteristics 4.1 Can the solution accept multiple data feeds and provide analysis and reports timely? If so, provide details. 4.2 Can the solution operate in a classified environment if necessary? What are the capabilities and limitations associated with operating in a classified environment? 4.3 Which of the following automated reporting capabilities does the solution support? a. Hardware asset inventory, including servers, workstations, laptops, mobile device, network devices and appliances b. Software asset inventory c. Hardware and software configuration compliance, such as specified by the United States Government Configuration Baseline (USGCB) d. Patch and Malware compliance 4.4 What are the capabilities and limitations of report generation (fully customizable, built-in templates, etc)? 4.5 Does the solution support report exporting capabilities for common formats such as CSV, PDF, XML, text with customer field separators, etc? 4.6 Does the solution allow granular permission assignment to allow separation of responsibilities by user group for data views and reporting (examples: Management, Administrators, Power Users, Read only, etc)? 4.7 Does the solution support aggregated security risk scoring? If so, is it customizable? 4.8 Does the solution support modular components? If so, explain. 4.9 Does the solution offer "common look-n-feel" [UI] with consistent "single pane of glass"? 4.10 Does the solution allow for customer or user-customized UI? 4.11 What are the solution's capabilities and limitations of importing various data formats (such as XLS, CSV, XML, etc)? 4.12 Does the solution support data and/or event correlation? If so, how does the solution analyze and correlate data? 4.13 Does the solution generate data and/or event logs itself and if so, what formats are supported? 4.14 What are the solution's capabilities and limitations for defining its own log retention? 4.15 Does the solution provide open and documented API capabilities for integration of common product data and/or a framework for custom APIs? If so, provide a brief explanation of type and how. 4.16 What are the capabilities and limitations of reviewing raw data? 4.17 What types of "search" capabilities exist within the solution? 4.18 Does the solution support risk calculations/formulas? If so, what types and are they customizable by the customer? 4.19 Does the solution support ability to calculate risk at multiple levels (i.e., enterprise, program/unit, system and asset)? Discussion Area 5: Other 5.1 Does the solution support a full training suite, including multi-tier training classes or curriculums (i.e., basic to advance)? If so, is the training available at vendor in-house facilities, customer onsite or available through authorized 3rd parties? 5.2 Does your solution provide opportunities for specific industry-recognized certified training or ability to certify in-house (customer) trainers? 5.3 What types of up-to-date documentation comes standard with each product / module used in the solution (operating, maintenance, user, configuration, administration, development, etc)? 5.4 Where is the product developed? 5.5 Do you own the product or is it original equipment manufactured (OEM)? IV. HOW TO RESPOND TO THIS NOTICE Please direct any questions concerning this notice to Mr. Bryan O'Shaughnessy at Bryan.O'Shaughnessy@dhs.gov, or 202-732-2547. Please submit your information and comments, including product data literature, to the Contracting Specialist electronically no later than May 17, 2011. Please submit the replies electronically to Bryan.O'Shaughnessy@dhs.gov. Electronic submissions should be submitted as an e-mail attachment in Microsoft Word. Please repeat each Discussion Area with questions and provide the response beneath. Please submit the information in the same order and using the same numbering scheme in this notice to facilitate evaluation and organization by Government reviewers. Please include a Rough Order of Magnitude (ROM) of pricing with your response. The ROM shall include the following components: • Cost of the system and what is included. • Cost for multiple systems including discounts, if available. • Cost of license fees and what is included, such as maintenance and support. • Cost of training and what is included in the training. • Cost of services and what is included in the services. Please Specify if you are currently on Federal Supply Schedule. Replies will be separated from, and have no bearing on, subsequent evaluation of proposals submitted in response to any resulting formal Requests for Proposals (RFPs). The use of information received in response to this notice may be used by ICE for acquisition planning and solicitation preparation activities. Eligibility in participating in a future acquisition does not depend upon a response to this notice. ICE will not critique the responses to this notice. ICE does not intend to pay for the information solicited and will not reimburse any costs associated with responding to this RFI. Proprietary information is neither sought nor desired by ICE. If such information is submitted, it must clearly be marked "proprietary" on every sheet containing such information, and the proprietary information must be segregated to the maximum extent practicable from other portions of the response (e.g., use an attachment or exhibit).
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DHS/INS/ICE-OAQ-TC/RFI_HSICE_130_0001/listing.html)
 
Record
SN02444205-W 20110512/110510234722-ee6b3c8f8c74812fdd5697e86bd90959 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.