SOURCES SOUGHT
R -- CLOUD CYBER INFORMATION SECURITY SERVICES
- Notice Date
- 11/7/2016
- Notice Type
- Sources Sought
- NAICS
- 541513
— Computer Facilities Management Services
- Contracting Office
- Small Business Administration, Office of Chief Finanical Officer- Aquisition Division, SBA Contracting, 409 Third Street, S.W., Washington, District of Columbia, 20416, United States
- ZIP Code
- 20416
- Solicitation Number
- SBAHQ17R0001
- Point of Contact
- Toni Hoskinson, Phone: 303-844-2026
- E-Mail Address
-
toni.hoskinson@sba.gov
(toni.hoskinson@sba.gov)
- Small Business Set-Aside
- N/A
- Description
- This is a SOURCES SOUGHT AND REQUEST FOR INFORMATION ANNOUNCEMENT to be used for both market analyses ONLY to determine if there are a sufficient number of qualified and interested firms which can provide a CLOUD CYBER INFORMATION SECURITY SERVICES and information concerning details industry will need to provide a proposal. NAICS code is 541513; size standard is $27.5 million. ALL SMALL BUSINESSES SHALL INDICATE SMALL BUSINESS SIZE STANDARD AND CLASSIFICATION IF YOUR HAVE A GSA SCHEDULE PROVIDES DETAILS IN YOUR RESPONSE. NO SOLICITATION IS AVAILABLE AT THIS TIME. The Small Business Administration (SBA) intends to consider awarding either an award for a Firm Fixed Price contract or a Firm Fixed Price Indefinite Delivery/Indefinite Quantity (IDIQ) contract to support to and assist the SBA in the migration of its Security Operations Center (SOC) to a remotely managed cloud service provider in an effort to comply with the 2010; Office of Management and Budget issued policy. To ensure governance and security then, the Cloud Cyber Information Security Service must be Federal Risk and Authorization Management Program (FedRAMP) approved for cloud security. The Cloud Service Provider must meet the security mandates required by Federal laws, standards, and guidance to ensure the preservation of information, the security of the SBA's cyber perimeter and maintain availability to the SBA agency and visibility to Federal IT Security Staff to assets and information. SBA is seeking an experienced and resourceful partner for this Cloud Cyber Information Security Service contract, who will use innovative means to provide a stable and cost effective operational environment which must support agency systems, applications and their underlying databases in a current and available state. The SBA is seeking a dependable, flexible, yet cost efficient approach for hosting, monitoring, remediating and securing its systems. SBA seeks planned and predictable maintenance costs which will let the agency achieve effective functional performance but in a shared servicing environment for its systems and infrastructure. The SBA will require services for Cloud Cyber Information Security Service that includes at the minimum: • The management and computing infrastructure required for providing these services as software as a Service (SaaS).. The services will include a comprehensive SOC monitoring program and at the minimum, installation, configuration, monitoring, and maintenance of end-point protection, AV/HIPS/host Firewall, network IDS/IPS, SIEM and Data Loss Prevention (DLP), and ongoing monitoring, maintenance and support of all components required to operate Einstein and CDM. • Cloud Cyber Information Security Service provider shall provide a tier III hosting and Security monitoring facility as described in the Uptime Institute Tier Standard: Operational Sustainability. Provide tier II and III Help Desk/Service Desk support to track incidents, troubleshoot platform problems, and to assist in the resolution of problems. Provide formal helpdesk/support services with statistics and escalation procedures to troubleshoot functional and technical problems reported. Provider must provide 24/7/365 server monitoring with service desk support. • Cloud Cyber Information Security Service provider's Security Operation Center (SOC) will operate in a 24/7/365 environment ensuring, but not limited to, monitoring, intrusion detection and Counter-intrusion support, security engineering, incident identification, insider threat detection and response, vulnerability, Computer forensics and exploitation and cyber threat analysis, vulnerability, Computer forensics and exploitation and cyber threat analysis. • The primary location must be within 100 miles of the SBA's Headquarters in Washington, DC (approved by SBA). The Disaster Alternate site - provider must provide a backup hosting facility at least 200 miles away from the primary hosting facility and be on a separate national power grid. The sites geographically located in areas of the continental United States not subject to a greater than average exposure to natural disasters which would unduly threaten infrastructure services supporting the SBA's mission critical application to assist victims of these same natural disasters. • The facilities must be supplied with electrical power from discrete grid segments, or a similar method ensuring a power failure at an electrical substation does not leave the facility operating on engine-driven generators or battery backup power alone. • In the event of a major catastrophe, the Cloud Cyber Information Security Service provider must provide disaster recovery, including failover to disaster recovery site within 24 hours of failure or declaration of an emergency by a specific system business owner or the SBA CIO. • Both sites must provide physical security at the Cloud Cyber Information Security Service provider's facility with an approved SBA access list. Access must be available 24/7/365 with 30 minute prior notification. And must provide access to SBA Federal staff, authorized industry partners and staff for audit, Internal Verification & Validation and other Government- approved purposes. • Provider's facilities must be scalable to support varying workload requirements as well as application performance requirements. • Provider's facility must be owned and managed by the contract company. • Provider will provide the expertise, technical knowledge, staff support, and other related resources necessary to the implementation of Federal and SBA's Standard Operations Policy 90 47 4 (or as revised), Information System Security Program Policy and requirements Agency-wide. Operate and maintain a Cybersecurity program to deliver services and solutions supporting core/common information and IT security requirements across SBA in a seamless and integrated method. • Maintain and improve the confidentiality, availability and integrity of SBA's information and IT systems. • Maintain the security of its (the Cloud Cyber Information Security Service provider's) infrastructure to ensure compliance with U.S. Government and SBA mandates. • Provide the capability to host, maintain and support multiple instances of approved systems to include, but not limited to, development, testing, training, production and disaster recovery instances; with reporting capability configured in an appropriate instance which permits minimized licensing costs. • Allow remote VPN and direct hands-on, application and database administration by SBA authorized individuals, where applicable. • Provider must ensure all non-SBA initiated platform patches be fully tested prior to being applied to production systems or devices providing connectivity and access to the SBA systems. • Provider must provide a secure, off-site encrypted media storage for backup schedule to be negotiated. SBA data must be segregated from other customers. • Provider must encrypt and regularly perform live test of its SBA backups. • Provider must regularly test disaster recovery plans for SBA data hosted at their processing facilities. • Provider's facility must include base power and connectivity to the hosting company's Internet backbone. More than one internet provider must be available and all internet connectivity must be redundant from all providers to both the primary and backup facilities. • Provider must have the ability to integrate into SBA's existing VPN extranet. SBA uses a combination of AT&T Global and Cisco Smart Net VPN technologies and prefers to introduce an SBA Smart Net device into the hosted environment. Private IP network offering needs to support IPv4 and IPv6 traffic with the Cloud Cyber Information Security Service provider's delegated addressing schemes where appropriate. • SBA maintains a Trusted Internet Connection (TIC) compliant portal. Provider must be able to meet OMB mandate to provide access to SBA Trusted Internet Connections in adherence to the following: o OMB M-08-05, Implementation of Trusted Internet Connections o OMB M-08-16, Guidance for Trusted Internet Connection Statement of Capability Form OMB M-08-26, Transition from FTS 2001 to Networx OMB M-08-27, Guidance for Trusted Internet Connection Compliance NSPD-54/HSPD-23, Comprehensive National Cyber Security. • Provider will implement and maintain duel internet access connections with Internet Service Provider (ISP) diversity, private line connecting data centers for replication, private line connection between each Cloud Cyber Information Security Service data center and the SBA's HQ. • Provider must provide SBA with scalable bandwidth to meet contract requirements. • Provider must maintain a secure intranet network to prevent unauthorized access; provide firewall with network intrusion detection system, virus protection and vulnerability scanning in both data centers. • Provider must have and maintain formal written information security policies. • Provider must maintain and provide access to SBA Federal staff or its representative's to a centralized digital archival storage. Document retention must adhere to SBA policies. • Provider must have a formal change control process and have and follow a secure data destruction processes for confidential data and IT equipment/media. • Provider must segregate SBA data from other customers. • Provider must provide results of a third-party external audit conducted within the past ten years. • Provider must have and maintain relevant certificates of applicable compliance certifications such as, but not limited to, FEDRAMP, ITIL, COBIT, ISO 2700, etc. • Provider's facility must be annually audited according to Standards for Attestation Engagements (SSAE) No. 16/SOC 2 The annual audit(s) must be conducted within the federal fiscal year cycle. • Provider must provide, maintain and regularly test an Incident Response plan (IRP) and conduct at least one yearly hot test and recovery. • Provider must provide continuous monitoring and reporting for identified communication lines to include latency, performance, utilization, and availability. • Provider must provide access to the Department of Homeland Security (DHS) for the federally mandated Continuous Diagnostic and Mitigation (CDM) program, and provide ongoing monitoring, maintenance, and support for the CMD tools • Provider must possess, maintain and update all their data-migration strategies and procedures it uses, have provisions for data and code escrow. • Provider must provide Managed Trusted Internet Protocol Services (MTIPS) with EINSTEIN capabilities. • Provider must provide an insider cyber threat program to ensure that SBA's policies, resources and oversight are in place to assess and implement the SBA's controls that specifically deter, detect and mitigate the risk from employees, contractors and business partners. • Services to include but not limited to: network and firewall hardware with configuration support; movement and mounting of hardware etc. All interested SMALL BUSINESS firms are encouraged to respond to this notice by submitting a brief capability statement addressing the Facilities, Technical, Disaster Recovery, Communication, Security, and Other Support listed above. The capability statements must answer the following questions: 1. Can your company provide and manage Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)? 2. Can your company provide and manage 24/7/365 service environment and a Security Operation Center (SOC)? a. If so, what tools, services does it offer? 3. Can your company provide and manage a primary location and an alternate location as described above that can provide be managed and provide access 24/7/365? 4. Does your company provide and manage a Backup hosting facility at least 200 miles away from the primary hosting facility? a. If so, is it on a separate national power grid? 5. Describe how your company can provide and manage facilities which are scalable to support varying workload requirements as well as application performance requirements? 6. Describe how your company currently is providing and managing the expert technical knowledge, staff support, and other related resources necessary to the implementation of Federal and SBA IT Security policy and requirements Agency-wide? 7. Does your company provide, manage and allow remote VPN for administration by SBA authorized individuals? 8. Does your company provide, manage and test all non-SBA initiated platform patches prior to being applied to production systems or devices? 9. Does your company provide and manage secure, off-site encrypted media storage for backup? 10. Does your company regularly test its backups? a. If so describe how this is managed. 11. Does your company regularly test disaster recovery plans for data their processing facilities? a. If so describe the procedures being utilized. 12. Does your company provide and manage a disaster recovery, including failover to disaster recovery site within 24 hours of failure or declaration of an emergency? a. If so, please detail your procedures for testing the disaster recovery mechanisms and procedures and the frequency of the tests. 13. Does your company provide and manage base power and connectivity to the hosting company's Internet backbone? a. Is it more than one internet provider? b. Is it redundant from all providers to both the primary and backup facilities? 14. Does your company have the ability to integrate into SBA's existing VPN extranet? 15. Can your company provide and manage support for IPv4 and IPv6? 16. Can your company provide and manage a TIC compliant portal? 17. Does your company provide and maintain formal written information security policies? a. If you utilize an external third-party contract to accomplish this requirement how will you assure they comply with policies and SBA agreements? 18. Explain your company's formal change control process? 19. Does your company provide and manage a secure data destruction processes for confidential data and IT equipment/media? a. If so, explain your procedures. 20. How would your company provide and manage a segregate SBA data from other customers? 21. Would you be able to provide results of a third-party external audit conducted within the past ten years with a proposal? a. If not explain why. 22. Does your company possesses and maintains relevant certificates of applicable compliance certifications such as, but not limited to, FedRAMP, ITIL, COBIT, ISO 2700, etc.? a. Will your firm be able to provide these certificates with a proposal? 23. Is your firm currently or in the recent past provided and managed a tier II and III Help Desk/Service Desk support? a. If so provide details about these contracts. 24. Is your firm currently or in the recent past provided and managed 24/7/365 server monitoring with service desk support? a. If so provide details about these contracts. 25. Does your company have and provide an insider cyber threat program? a. If so, please provide information on this solution. b. How would you propose providing this service to allow access and reporting to IT Federal Staff and 3rd party representatives? 26. Does your company provide, maintain and provide access to SBA Federal staff or its representative's to a SIEM? 27. Does your company provide Managed Trusted Internet Protocol Services (MTIPS)? a. If so, please provide information on this solution. b. How will you provide access to IT Federal Staff and 3rd party representatives? c. Do you have EINSTEIN capabilities as a TIC provider? 28. Can your company provide a centralized digital archival storage? a. Please provide your company's retention policy. 29. Does your company possess or how would you staff the expertise and physical environment to provide and maintain the SBA with scalable bandwidth? a. With an understanding of the SBA needs contained within this announcement, please provide information on your bandwidth offerings which will meet or exceed these requirements. 30. Have you contracted with other Government agencies or any large commercial entity for these services? a. List which agency, the contract number and the value, point of contact and services provided. 31. Does your company provide, maintain and regularly test an Incident Response plan (IRP)? a. Please provide your IRP. b. How often is it conducted? c. Do you conduct at least one yearly hot test and recovery? 32. Does your company have the expertise, knowledge, and ability to provide DHS with the access needed to collect data from all network devices associated with and or utilized to serve the needs of this SBA contract to comply with the federally mandated Continuous Diagnostic and Mitigation (CDM) program, and provide ongoing maintenance, monitoring, and support for the CDM systems across the agency network? 33. Does your company have a data-migration strategy in the event the SBA chooses to move to a different provider? a. Would your firm be able to provide these procedures at the time of a proposal? 34. Does your company have provisions for data and code escrow? 35. Does your company provide any SLA guarantees? a. Are the published? b. For this announcement please provide any published SLAs that guarantee the level of performance, availability, and security your company provides, and govern the actions you will take or the compensation you will provide, in the event you fail to meet these guarantees. c. If the SLAs are written per requirement please provide a sample. 36. Based on the limited information provided please provide a magnitude estimate range for a monthly cost for this type of service. 37. Besides the information provided in this Sources Sought/Request for Information what other details do you need to adequately provide a Performance Work Statement and a cost proposal? 38. Do you think your company would be interested in making an offer on this sort of work? 39. WHAT TYPE OF CONTRACT VEHICLE WOULD YOU RECOMMEND taking into consideration the Firm Fixed Price is preferred? 40. What are your solutions, capabilities, and recommendations for a cloud based, remotely managed security tool engineering and management, and security monitoring Please limit your responses to no more than 10 pages. This is not a request for competitive proposals or quotations. There is no solicitation at this time. This notice is to determine if there are an adequate number of interested Small Business Concerns capable of providing a Cyber Cloud Security Service. A determination will be made by the Contracting Officer based on the responses to the inquiry as to proceed with the acquisition as a set-aside for Small Business. The Government has not determined at this time whether a Firm-fixed Price contract or an IDIQ contract both with a base with 4 option years is the best strategy. Interested parties should submit their responses with technical capabilities by November 17, 2016 at 2:00 p.m. MST. Email your response demonstrating your firms experience and capabilities to Toni.Hoskinson@sba.gov
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/SBA/OOA/OPGM/SBAHQ17R0001/listing.html)
- Place of Performance
- Address: Not determined at this time., United States
- Record
- SN04321550-W 20161109/161107233959-d263e039d5fc929a394e12e7e6e83eee (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |