Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF OCTOBER 25, 2013 FBO #4353
SOURCES SOUGHT

70 -- Enterprise Identity Access and Management (EIAM)

Notice Date
10/23/2013
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of State, Office of Acquisitions, Acquisition Management, 1735 N. Lynn St., Arlington, Virginia, 22209, United States
 
ZIP Code
22209
 
Solicitation Number
SAQMMA14I0002
 
Archive Date
11/22/2013
 
Point of Contact
Steven G. Haines, Phone: 7038756746
 
E-Mail Address
hainessg@state.gov
(hainessg@state.gov)
 
Small Business Set-Aside
N/A
 
Description
REQUEST FOR INFORMATION The DOS Bureau of Information Resource Management (IRM) is interested in information, specifically capabilities and functionality descriptions, from businesses that offer a commercial off-the-shelf (COTS) identity management and roles-based access control solution. The solution will be used to support Department of State users, customers, and partners worldwide. In addition, this RFI is being used to identify the information and data points that respondents would need to respond to any future solicitation. This is a Request for Information (RFI) that will be used to gather market research information and develop a solicitation announcement in the near future. The Department of State (DOS) will not answer any questions regarding this market research. No reimbursement will be made for any costs associated with providing information in response to this notice. This RFI shall not be considered an invitation for bid, request for proposal, or in any way an obligation on the part of the Government to acquire products or services. Your response to this RFI will be treated as information only. No entitlement to payment of direct or indirect costs or charges by the Government will arise as a result of contractor submission of responses to this RFI, or the Government use of any information provided. All information provided may be used by the U. S. Department of State (DOS) in developing its acquisition strategy, small business/socio-economic set-aside decisions, statement of work/statement of objectives, and performance specifications. The Government does not guarantee any action beyond this RFI. BACKGROUND IRM provides the information technology and services the Department needs to successfully carry out its foreign policy mission. The primary unclassified network operated by IRM is the DOS OpenNet network. One current IRM initiative is to provide services to non-OpenNet users, such as Eligible Family Members (EFMs) and Other Government Agencies (OGAs), via a Foreign Affairs Network version 2.0 (FAN 2.0). FAN 2.0 will be a platform for collaboration, coordination, and information sharing for all agency employees under Chief of Mission (COM) authority that is easy to use, accessible from anywhere, and adheres to guidance for identity management set forth by the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance. The FAN design will allow DOS to offer services as well as information to all individuals in the foreign affairs community, including Other Government Agencies (OGA). These services will reside in various network enclaves, to which access can be granted based on the user’s level of identity authentication assurance as defined by OMB M-04-04. There will be three primary enclaves in the initial design of FAN 2.0, each accessible to users at various levels of assurance as defined by NIST SP 800-63 rev 2: 1. A community coordination enclave to disseminate post information. 2. An interagency collaboration enclave to facilitate the conduct of foreign Agency specific enclaves for processing information that should be accessed by a smaller audience, requiring a greater level of identity assurance. 3. Agency specific enclaves for processing information that should be accessed by an even smaller audience, requiring the highest levels of identity assurance. ENTERPRISE IDENTITY AND ACCESS MANAGEMENT (EIAM) SYSTEM In order to support FAN 2.0, the Enterprise Identity and Access Management (EIAM) system will be implemented to provide both Identity Management and Roles-Based Access control. Once the EIAM system authenticates a user, that authentication determines which FAN services a user is authorized to access. NIST 800-63 eAuthentication Guidelines are the primary source of business requirements for the EIAM system. FAN 2.0 is a global network, and customers may be accessing the EIAM system from anywhere, using a number of devices. U.S. Government employees (government and contractors) will have U.S. government-issued Personal Identification Verification (PIV) or Facilities and Logical Access (FLAC) cards that can be leveraged for authentication at identity assurance level 3 or 4; others will need to leverage One Time Passwords (OTP) or Out of Band Tokens (OOBT) to establish identity at assurance level 2 or 3; and others will require simply a login id with password. Additional authentication mechanisms may also be employed, such as memorized secret tokens or single and multi-factor cryptographic devices, and should be considered as options for the solution. The EIAM system must provide workflow to support provisioning and de-provisioning of users and non-person entities (NPE), as well as provide a secure administrative interface. The EIAM system must provide the means to enable Single Sign-On (SSO) and sign-off for applications. The solution must be compatible with existing DOS LAN/WAN environments. Common hardware and software elements of the DOS environment include the following. Respondents should feel free to indicate whether their solutions would complement or replace any of the below elements. Respondents are encouraged to leverage hardware and software that is already approved by the DOS IT Change Control Board (ITCCB), but should not be discouraged from utilizing new hardware and software if it meets, or exceeds, the minimum requirements. 1) Hardware a) Cisco router/switch hardware b) Nortel Connectivity Encryptors c) Cisco ASA Encryptors d) Riverbed accelerators e) HP/Dell servers f) DOS maintains an Ethernet backbone g) F5 Big-IP with APM 2) Software a) Microsoft Active Directory (FFL 2) b) Windows 2003 Server series (with current service packs) c) Windows 2008 R1/R2 Server series (with current service packs) d) Red Hat Linux e) Microsoft Exchange Server 2003 (with current service packs) f) Microsoft Exchange Server 2010 (with current service packs) g) Microsoft SQL Server 2005 with SP2 h) Microsoft SQL Server 2008 Enterprise & Standard i) VMware ESXi 4.x j) VMware vSphere vCenter 4.x k) SharePoint 2007 l) SharePoint 2010 m) Other common user file types The following scenarios are included to further illustrate the vision of the EIAM system, and respondents should indicate how their solution addresses the identity and access management requirements inherent to each scenario. Scenario 1: Spouse access to phone list from the Internet To gain access to the phone list from the internet, the spouse and sponsoring employee will perform the steps listed below. The phone list is an example of information that could be stored in the community coordination enclave of FAN 2.0. 1) Registration of spouse by sponsoring employee: the employee will access the EIAM system and provide the name, login ID, and contact information. 2) Initial set up by dependent/EFM: after the sponsoring FTE has performed the registration, the EFM will access a login page from an Internet connected computer and enter the login that was registered. a) Identity confirmation with One-Time Password/Out-of-band Token (first time login): The EFM will receive a PIN delivered through email, SMS message, or other pre-determined means. Entering this information into the login page confirms the link to between the individual entering the PIN and sponsoring FTE. After the identity is verified, the EFM chooses a password to secure the account. b) Identity confirmation (subsequent logins): If EFM has identified login device as “trusted” device then they use only a login and password to access the information. 3) EFM chooses service from portal: The EIAM system determines access levels to the services provided. The initial portal page will list services available to the user, and, for example, the user can choose the phone list from the options. Scenario 2: OGA access to e Country Clearance (eCC) from the Internet To gain access to the eCC application from the internet, the full-time employee and post administrator will perform the steps listed below. The eCC application is an example of something that could be hosted in the Collaboration enclave. 1) Registration of employee: a process will exist such that the employee is registered with the EIAM system, in a manner consistent with meeting NIST assurance levels required to access more sensitive information. Registration will include providing the name and contact information of the individual, and identifying an initial login id. 2) Initial set up by FTE: after the employee has been registered, the employee will access a Department of State hosted login page from an Internet connected computer and enter the login that was registered. a) Identity confirmation with One-Time Password/Out-of-band Token (First time login): The employee will receive a PIN delivered through email, SMS message, or other pre-determined means. Entering this information into the login page provides some level of assurance that the individual using the login is the person for whom the account was provisioned. After the identity is verified, the employee chooses a password to secure the account. b) Identity confirmation (subsequent logins): If the employee has identified login device as “trusted” device then they use only a login and password to access the information. 3) Employee chooses service from portal: The EIAM system determines access levels to the services provided. The initial portal page will list services available to the user. The user chooses the eCC application from the options. Scenario 3: OGA Procurement request from post OGA network with PIV To gain access to the Procurement application from an OGA network computer at post, the full-time employee and post administrator will perform the steps listed below. The Procurement application is an example of an application that could be hosted in the Collaboration enclave. 1) Registration of employee: a process will exist such that the employee is registered with the EIAM system, in a manner consistent with meeting NIST assurance levels required to access more sensitive information. Registration will include providing the name and contact information of the individual, and identifying an initial login id. 2) Employee logs on to OGA network terminal: the employee will use the credentials necessary to log into the parent agency’s network. 3) Employee access the services portal: after logging into the parent agency network, the employee will use a web browser to access the services portal page. 4) Employee provides PIV credentials: if not already logged on with a PIV card, the user will insert it now. The credentials will be checked by the EIAM system, and the list of services the user is able to access will be displayed on a portal page. The user will choose the Procurement Request from the options. Scenario 4: OGA network or application access from FAN workstation The end state for FAN 2.0 allows users access to standard FAN thin clients, regardless of parent agency. To access a parent agency network from a FAN thin client, including State users accessing OpenNet, the user should perform the following steps: 1) Registration of employee: a process will exist such that the employee is registered with the EIAM system, in a manner consistent with meeting NIST assurance levels required to access more sensitive information. Registration will include providing the name and contact information of the individual, and identifying an initial login id. 2) Employee logs on to a FAN thin client: the employee will use the credentials necessary to log into the FAN network. In initial deployments of FAN 2.0, this will likely be a login/password, but could also be a PIV card. 3) Employee accesses the OGA network: after logging into the FAN network, the employee will use remote access software or a web browser to access the parent agency network. 4) Employee provides PIV credentials: if not already logged on with a PIV card, the user will insert it now. The credentials will be checked by the EIAM system, and the user’s identity is confirmed and relayed to the requesting application. a) In the case of a published application or desktop, the credentials are passed to the client software running on the FAN workstation. The client software establishes a connection to the parent agency network and passes the credentials. b) In the case of web application access, the credentials are relayed to the parent agency’s web application by the web browser running on the FAN workstation. RFI RESPONSE CONTENT The Department requests that RFI respondents provide as much information as possible regarding the following topics. 1. Identify your suggested solution, by manufacturer/brand, part number, or company provider (for service elements). 2. Describe your solution’s approach to authentication, and the authentication mechanisms, methods, and protocols supported. 3. Describe your solution’s approach to and options for managing access-control policies, including industry standard interoperability technologies and protocols supported. 4. Describe how an identity is managed across the lifecycle: provisioning, roles assignment, periodic reviews, identity and role information updates, and de-provisioning. Include both manual and automated descriptions. 5. The solution will have to be able to integrate with and leverage existing systems that have existing identity data. Describe how your solution integrates with other sources of identity data and which identity store communications standards are supported. 6. Describe how administrators manage the data in your solution. 7. Describe the information security aspects of your solution, such as how data, including any Personally Identifiable Information (PII), is protected in accordance with NIST SP 800-122. Indicate whether data is encrypted both at rest and while in transit, and if so how. (DOS networks are themselves encrypted.) 8. Describe the monitoring, alerting, and reporting features of your solution, and indicate how these features support Federal Information Security Management Act (FISMA) compliance. 9. Please identify the security capabilities inherent to your solution to prevent compromise, penetration, exfiltration, tampering, etc. 10. Identify how your solution can be architected to support a global network of users, and quantify the anticipated impacts on network links. Include any bandwidth or latency requirements. 11. Indicate how your solution supports high availability, replication, and options for providing disaster recovery. 12. Describe whether your solution will integrate with other hardware platforms (i.e., is your solution hardware/platform-neutral?). 13. DOS has a requirement for all deployed hardware to have one layer of redundancy. Please describe how your product or solution handles hardware redundancy. 14. As indicated above, the user base for FAN 2.0 is extensive. For example, the system is envisioned to allow the over 113 million U.S. passport holders to request services on their passport, and another 9 million US Visa holders annually. This is in addition to the hundreds of thousands of U.S. Government employees, dependents, and contractors in the foreign affairs community. Assuming a phased implementation approach, describe how your solution can scale as demand increases without losing performance, and specify any limitations on supported transactions or data volumes. Include specifics on how the system handles concurrent identity requests. 15. Describe what activities are required for the operations and maintenance of your company’s solution. Please include whether your solution uses central management support functionality. 16. Describe your licensing model or equivalent pricing/fee structure (note: a dollar amount is not requested nor will it be reviewed). 17. Identify whether you allow potential customers to test your solution/product(s) prior to purchase, and how. 18. Please identify additional information and data points your company would need from the Department in order to respond to any future solicitation. 19. Please identify what services are available to support installation and configuration. 20. Identify federal, state or local agencies currently utilizing your solution. 21. Identify commercial companies or non-governmental organizations (NGO’s) currently utilizing your solution. 22. Identify other best of breed identity management and/or access management solutions that integrate with your solution. Indicate whether your proposed solution includes partner company technologies. RFI RESPONSE INSTRUCTIONS 1. All responses must be submitted in writing by email only, in Microsoft Word (.doc or.docx) or Adobe (.pdf) format, to HainesSG@state.gov, such that they are received at that electronic address no later than the closing date/time of this notice. 2. Responses should be concise and not exceed fifteen (15) 8.5”x11” pages when printed, excluding cover page and table of contents. 3. Font should be Times New Roman size 12. Graphics may use Times New Roman size 10 or larger. 4. Proprietary information must be clearly marked as such. 5. Cost or price information is not requested and will not be reviewed. 6. No phone calls related to this RFI will be accepted. All correspondence shall be via email. 7. The Government is not interested in marketing responses or general product and service brochures/“line cards”. The Government is requesting a clear, concise, and complete response to the specific content requested above. Responses should describe actual capabilities or future proposed capabilities with anticipated release dates. All responses must include the following business information: a. Company Name b. Complete Company Address c. Dun & Bradstreet (DUNS) Number d. Commercial and Government Entity Code (CAGE) e. Point-of-Contact name, telephone number, and email address f. Small Business/Socio-Economic status of respondent, if any, (i.e. small business, small disadvantaged business, 8(a) small business, service-disabled veteran-owned small business, HUBZone small business, woman-owned small business, and economically-disadvantaged women-owned small business). Note: The applicable NAICS code for this effort is 541519, Information Technology Value Added Resellers, with a size standard of 150 employees. REFERENCES The following government regulations and policies are referenced in this RFI. This list does not constitute a comprehensive listing of all applicable federal regulations and standards that should be considered in the response. 1) FICAM Roadmap and Implementation Guidance, Version 2.0, December 2nd 2011. 2) OMB M-04-04, E-Authentication Guidance for Federal Agencies, December 16, 2003. 3) NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 4, April 2013. 4) NIST Special Publication 800-63, Electronic Authentication Guideline, April 2006. 5) NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information, April 2010. 6) Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27 2004. 7) Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541, P.L. 100-615.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/SAQMMA14I0002/listing.html)
 
Record
SN03220971-W 20131025/131023234407-79fc8ded75d21fcf6fd2d238d5686f2e (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.