SOURCES SOUGHT
70 -- Continuous Evaluation Program Security Survey System
- Notice Date
- 1/13/2014
- Notice Type
- Sources Sought
- NAICS
- 541512
— Computer Systems Design Services
- Contracting Office
- Department of State, Office of Acquisitions, Acquisition Management, 1735 N. Lynn St., Arlington, Virginia, 22209, United States
- ZIP Code
- 22209
- Solicitation Number
- SAQMMA14SS0001
- Archive Date
- 2/15/2014
- Point of Contact
- Vincent J Sanchez, Phone: 703-875-6629, Bernard L. Turner, Phone: 703-875-4224
- E-Mail Address
-
SanchezVJ@state.gov, turnerb1@state.gov
(SanchezVJ@state.gov, turnerb1@state.gov)
- Small Business Set-Aside
- N/A
- Description
- 1. Background The Department of State (DOS) Bureau of Diplomatic Security (DS), Security Infrastructure (SI), Office of Personnel Security and Suitability (PSS) has developed a Continuous Evaluation (CE) Program. The CE program addresses guidelines set forth in the Intelligence Reform and Terrorism Prevention Act of 2004 and Executive Order 13467 of 2008. The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) established the Office of the Director of National Intelligence (ODNI). The ODNI in collaboration with the Office of Personnel Management (OPM), and other Government agencies outlined several strategic goals to address IRTPA, as part of the clearance reform process. One of these strategic goals was for agencies to establish a Continuous Evaluation process. Continuous Evaluation will provide a mechanism by which cleared individuals would be investigated more frequently, and thereby reducing risk to national security Executive Order 13467 of June 2008 amended Executive Order 12968 of August 1995, by requiring that "an individual who has been determined to be eligible for, or who currently has access to classified information, shall be subject to continuous evaluation (CE)." 2. Product and Services Description The product and services potentially required are for a Commercial Off-The-Shelf (COTS) Security Survey System to support the CE Program. The Security Survey System, a critical part of the overall CE Program, will include the ability to create, manage, distribute, and track Security Surveys. The Security Survey System will include the ability to have staff profiles on individuals. In addition, the Security Survey System will allow individuals with profiles to self-report key life events or activates. 2.1. Functional Requirements As the Security Survey System is part of a larger solution, the system must be able to import and export data in a structured format, preferably XML. The Security Survey System will receive data from Human Resource (HR) systems and other security systems. This data will be used to create and maintain staff profiles. The system must have error checking and handling, and the ability to reconcile incoming data to existing staff profiles, including to create an account if no account exists based upon data from another system. The system must have the ability to export, in a structured format, any staff profile data or survey data to other systems including HR and other security systems. The Security Survey System must have the ability to support customization of the User Interface (UI) for DOS branding and standards to be applied. These customizations include, but are not limited to, applying DOS logo, changing colors, and some amount of page layout including headers and footers with links to other sites. In addition, the system must support adding and managing fields and field names in the staff profiles. The Security Survey System must have the ability to create and manage staff profiles. Data in a staff profile could include staff member's unique information including name, SSN, date of birth, place of birth, Passport Number, network log, and other unique identifiers. The staff profile could also include staff member's job related information including current and former job titles, assignments (Post / Region / Location), accesses / special programs, supervisors, and peers. In addition, the staff profile must store and make accessible any surveys completed by user. The system must support management of the staff profiles including automated and manual creation, modification, merging, deleting, and archiving (exporting content into another system). The Security Survey System must have the ability to create and manage multiple surveys. Surveys must be able to utilize text boxes, radio buttons (yes/no), scales (on a scale of X to X), multiple choice questions allowing multiple answers, and branching questions. Surveys must be able to be managed including having multiple surveys, question pools, randomly assign questions to surveys, developed reference support (recipient must recommend X number of other users to receive surveys), assign values or weighting to questions, assign triggers to questions, assign notifications for trigger results (via e-mail or other means), and manage trigger notifications (group or role to route triggered event). The Security Survey System must have the ability to create and maintain instructions / help files. The system must allow for instruction / help files to be created and associated with a certain part of the system including user profiles and surveys. The system must support maintaining instructions / help file that could include instructions on related policies, general guidance, links to other resources such as SharePoint, detailed system functions, and contact information to obtain further information or directly contact support (e-mail link). The Security Survey System must have the ability to manage the survey process. The system must be able to send out surveys both manually and automated based upon rules. The rules must be configurable based upon defined criteria, such as dates. The system must allow a survey to be manually taken back and rerouted to a different user. The Security Survey System must have the ability to manage and view completed security surveys. The system must allow a rejected survey to be rerouted to a different user. The Security Survey System must have the ability to allow a recipient of a survey to receive and track one or multiple surveys assigned to them, reject a survey (with reason / comment), save survey in progress, see percent complete of a survey, spell check survey, access previously completed surveys, e-mail copy to self, print copy, and access instruction / help files. The Security Survey System must have the ability to track and report on surveys in progress and completed. The system must track status of surveys (opened, percent complete), automated and manual sending of e-mail notifications to survey recipients (new survey, incomplete survey, and deadlines). The system must have reporting functions on both the survey process and survey results. The system must have the ability to prioritize surveys for review based upon results of a survey and defined by triggers. So the answering of a triggered question in a certain manner could result in an action for a user to review that survey within X days. If that survey is not reviewed, a notification results (via e-mail or other means). The Security Survey System must support staff profile self-reporting of key life events. The Security Survey System must have the ability to create and manage self-reporting surveys or forms; each type of self-reporting survey will have unique data fields. The system must support management of multiple self-reporting surveys or forms. Surveys must be able to utilize text boxes, radio buttons (yes/no), scales (on a scale of X to X), multiple choice questions allowing multiple answers, and branching questions. The system must allow self-reporting surveys to be saved in progress, see percent complete of a survey, spell check of survey, access previous completed self-report surveys, e-mail copy to self, print copy, access instruction / help files help files. The system must allow triggers to be created to send follow up surveys based upon answers in their self-reporting survey. The system must allow for sending notifications for trigger results (via e-mail or other means), and manage trigger notifications (group or role to route triggered event). The system must allow for assigning values to questions, assigning triggers to questions, assign notifications for trigger results, and manage notifications (via e-mail or other means) based upon trigger. The Security Survey System must have role based permissions with the ability to control permissions and accesses based upon predefined roles. These roles will determine which users can create and accounts / profiles, modify survey forms either system sent or self-reporting, which users can create and modify triggers and routing of triggered results, as well as basic user functions such as completing surveys. The Security Survey System must have the ability to log events. The system must log both system managed or automated events and manual events. This logging could include, but is not limited to, transaction logs related to importing or exporting data, creation and/or modifications of profiles, creation and/or modifications of surveys, creation and/or modifications of triggers and results of triggers, and activity related to completion of surveys. 2.2. Technical Requirements The Security Survey System must support Federal Government and DOS specific technical requirements including Section 508, Single Sign-on, encryption, and Certification and Accreditation. The Security Survey System must meet Section 508 compliance standards, ensuring the system can be used by people with disabilities. This includes providing a Voluntary Product Accessibility Template (VPAT) and providing supporting information on how the product meets Section 508 standards. The Security Survey System must comply with Title III of the E-Government Act of December 2002, entitled the Federal Information Security Management Act (FISMA). DOS has implemented FISMA controls in accordance with National Institute of Standards and Technology (NIST) standards as defined in Federal Information Processing Standards (FIPS) 199 and 200, and guidelines Special Publications (SP) 800-series including SP 800-53. The provider must be able to support the development of a System Security Plan with implemented and documented security controls in accordance with a moderate level system, and leading to Certification and Accreditation (C&A). The Security Survey System must support Single Sign-on utilizing Microsoft Windows Active Directory services. The system must be able to link DOS network credentials to accounts with roles and permissions. The Security Survey System must support encryption of data at rest and data in motion. 2.3. Technical Services The provider of the Security Survey System must be able to provide technical services on customer site. These services include but are not limited to installation and configuration support, customization support, training, and C&A support. 2.4. Optional Functional Requirements Optional functional requirements are desired or enhanced capabilities, but may or may not be potentially required for the Security Survey System to be successful, depending on industry response to this notice. The Security Survey System optionally would have the ability to maintain training records associated with staff profiles and manage training material. Based upon results of surveys, either completed by others or self-reporting, the system would allow training material to be made available for completion by a user. This training material would consist of a number of PowerPoint slide shows. The system would allow a user to make available to another user one or more of the slide shows. The system would allow the user to review / complete and certify understanding of the training material. The system would allow tracking of training (opened, percent complete), automated and manual sending of e-mail notifications to training recipients (new training, incomplete training and deadlines). The system would allow all training information ongoing and completed to be made available in that user profile. The system would allow reporting functions on training progress and results. There seem to be two (2) distinct IT architecture solutions being employed by industry for these types of products. A Commercial Off-The-Shelf (COTS) product model is preferred over a SaaS model. The SaaS model involves the provider hosting the software and associated data on their internet access architecture or "cloud." This model poses several challenges. Due to the unique and sensitive nature of the data that will be stored in the system meeting Government security requirements both physical and logic would greatly increase costs. No potential SaaS provider had a FedRAMP authorized solution (FedRAMP is the General Services Administration (GSA) program to certify cloud providers as being FISMA compliant), and industry is still some time away from being a listed FedRAMP Cloud Service Providers. In addition, the system will be part of a greater overall solution, so interoperability and connectivity between this system and the other systems would create additional complexity and IT architecture challenges such as creating new solutions to allow internal and external systems to transmit data. Finally, the Government anticipates the solution will require customization due to the unique, and non-standard, use of the solution to meet this effort's objectives and SaaS solutions are more limited in the amount of customization allowed. For the aforementioned the Government prefers a Commercial Off-The-Shelf (COTS) product based model that can be maintained within DS's IT architecture as the best approach to meet this potential need. Acronyms CTO Chief Technology Officer DS Diplomatic Security DOS Department of State FISMA Federal Information Security Management Act HR Human Resources NIST National Institute of Standards and Technology OPM Office of Personnel Management PSS Personnel Security and Suitability SaaS Software as a Service SI Security Infrastructure If your firm can provide the aforementioned commercial services, please respond to this notice with the following information: 1. Company name, address, points of contact including phone numbers and e-mail addresses, manufacturing sites and locations; 2. Company Cage Code and DUNS Number, Business size (large or small business, and if small indicate what types of small business concern (e.g. EDWOSB, Hubzone, 8(a), woman-owned, etc); 3. Past Performance information along with brief descriptions of previous projects, points of contact and contract numbers for services you have performed that are similar in corporate or Government settings. 4. Include detailed technical information with relation to our potential need of services described. The Department also welcomes any suggestions or comments with regards to these technical specifications and industry feedback. 5. Include information on all warranty, maintenance or service life offered with the solution. All of the items above should be addressed in your firm's response to this notice and any questions can be made to the point of contact listed on this notice. Please address each of the items above to the best of your firm's ability, given time and resources. There will be NO compensation for responses to this sources sought notice. All participation is purely voluntary and shall incur no costs to the Government. All submissions should be sent in via email to SanchezVJ@state.gov by the notice response date referenced on this sources sought notice.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/SAQMMA14SS0001/listing.html)
- Place of Performance
- Address: Washington DC Metropolitan Area, Washington, District of Columbia, 20520, United States
- Zip Code: 20520
- Zip Code: 20520
- Record
- SN03266265-W 20140115/140113235417-5cbbb0b5198af3fb58ac5d11f1985958 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |