Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JANUARY 08, 2017 FBO #5525
MODIFICATION

D -- Security Controls Assessment (SCA)

Notice Date
1/6/2017
 
Notice Type
Modification/Amendment
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
Department of Health and Human Services, Centers for Medicare & Medicaid Services, Office of Acquisition and Grants Management, 7500 Security Blvd., C2-21-15, Baltimore, Maryland, 21244-1850
 
ZIP Code
21244-1850
 
Solicitation Number
HHSM-500-2017-RFP-0008
 
Point of Contact
David Fitton, Phone: 4107861492, Dawn R. Wilkins, Phone: 410-786-4588
 
E-Mail Address
david.fitton@cms.hhs.gov, dawn.wilkins@cms.hhs.gov
(david.fitton@cms.hhs.gov, dawn.wilkins@cms.hhs.gov)
 
Small Business Set-Aside
N/A
 
Description
Sources Sought Notice amendment 1 (Amended to show submission date as 1/12/17 at 2:00 pm) Introduction This is a SOURCES SOUGHT NOTICE (SSN) posted for INFORMATIONAL PURPOSES ONLY. It will be used to obtain information regarding the availability and capability of qualified small businesses (e.g.: 8(a), small disadvantaged businesses, veteran-owned small businesses, service-disabled veteran-owned small businesses (SDVOSB), HUBZone small businesses, women-owned small businesses, and small business) to provide the services described herein. The Centers for Medicare & Medicaid Services (CMS) will use the information received to determine if the work described herein will be set-aside for small business. Based upon the results of the evaluation of the respondents' capabilities, CMS may set the work aside for a specific type of small business (i.e. HUBZone, WOSB, SDB, SDVOSB, or 8(a) small business), or determine that the work should be competed on an unrestricted basis. Background The Centers for Medicare & Medicaid Services (CMS) is the agency of the Federal Government that administers the Medicare and M¬edicaid programs. CMS also supports the Affordable Care Act with the CMS Marketplace and supporting systems. It should be noted that the CMS Marketplace has become one of the most visible programs, both politically and technologically, in the Nation. CMS is responsible for the payment of almost $1 trillion each year for medical services rendered to over 100 million program beneficiaries and recipients. CMS currently has approximately 4,500 employees at its central site in Baltimore, and in ten (10) regional offices in major cities throughout the country. CMS contracts with approximately thirty (30) companies to process claims for reimbursement for medical services rendered under the Medicare program, and works with all 50 states in the management of the Medicaid program. Several companies administer both Part A and Part B of the Medicare program. As a result, there are currently twenty-three (23) fiscal intermediaries and seventeen (17) carriers processing Medicare fee-for-service claims. In the administration of these programs, CMS utilizes many assets including buildings, facilities, communications equipment, computer systems, employees, contractors, public trust, and information. A loss of any one of these assets could affect the quality of support provided by CMS to its various customers. In particular, CMS needs systems of cost effective computer security controls to protect CMS' critical information technology assets. CMS collects information that falls into the categories of privacy data, personal health data, proprietary data, procurement data, inter-agency data, and privileged system information. Access to these types of information is controlled by the Privacy Act of 1974, as amended, the Computer Security Act of 1987, as amended, The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, as amended and the Federal Information Security Management Act (FISMA) of 2002, as well as various rules, regulations, policies, and guidelines promulgated by the Department of Health and Human Services (DHHS), the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST). As a result, CMS has a legal and practical responsibility to maintain the confidentiality, integrity, and availability (CIA) of this information. The CMS Information System (IS) Security Assessment and Authorization (SAA) Program is a critical component of the entire CMS Integrated IT Investment & System Life Cycle, "Framework", which has been most recently updated to the CMS Expedited Life Cycle (XLC). All CMS systems must undergo a Security Controls Assessment (SCA) each year as part of effort towards obtaining or maintaining its current security accreditation and authorization to operation (ATO). CMS has introduced many new technical initiatives in the last two (2) years including several new Cloud Services, Agile development, DevOps software deployment models, CI/CD processes, ongoing authorization, and build-in security processes. CMS is also building in a new CDM program per HHS directives. The Contractor will utilize these CMS initiatives to improve CMS' ability to automate as many security controls as possible and continue to move toward the Ongoing Authorization model. CMS will focus security efforts on the most critical security controls (as defined by CMS). The Security Controls Assessment (SCA) is conducted as part of the Security Assessment and Authorization (SAA) process for a new system before it is placed into an operational state, when a significant change has been made to an existing system, or at least every three years. CMS is moving away from this point-in-time testing model and pushing towards the ongoing authorization and build-in security in models where automated and frequent control testing is going to become the norm. Currently, the Security Controls Assessment (SCA) still plays a vital role with assisting and validating that appropriate management, operational, and technical security controls have been implemented for the information system and that CMS systems and data are protected. Purpose The purpose of Security Controls Assessment (SCA) is to provide continuous security controls assessment and ongoing authorization (OA) support for the CMS Enterprise Information Security Group (ISPG). This will be achieved while maintaining compliance with the defined CMS IS policies, standards, procedures and guidelines as stated on the CMS Website: http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html. SCA Scope of Services and Required Capabilities The Contractor shall perform SCAs of cyber-services, applications, databases, platforms, and infrastructures of all CMS FISMA systems. CMS systems are located throughout the continental United States in disparate data centers which are often built using a combination solution such as of bare-metal rack oriented servers, virtualized server technologies, Cloud Service Provider technologies (IaaS, PaaS, SaaS), as well as various Identification and Authentication mechanisms such as SAML, OpenID, Oauth, and CSP IDaaS solutions. Each CMS system may be composed of various heterogeneous technologies ranging from modern to legacy, which may include but is not limited to: all types of Cloud Service Provider technologies (MS Azure, AWS, Salesforce, etc.), microservice (API) based systems, various development frameworks and components such as.Net, Java, JMS, SOAP, REST, XML, JSON, JWT, supporting middleware, Unix, various flavors of Linux servers (RHEL, Solaris, Debian, CentOs, etc.), Windows servers (all versions), VMWare, database systems (MS SQL, MySQL, Oracle, PostgreSQL, Hadoop, etc.), Mainframe technologies such as M204, DB2, RACF, CICS, COBOL, Host On Demand, TSO, z/OS, LDAP, RACF, Visual Basic, web systems such as IIS, WebSphere, MQ Messaging, Informatica, COGNOS, Citrix, and other products and technologies. Many applications are custom developed and will require a source code review and manual testing during the security assessment. The Contractor shall be able to perform SCAs and have experience in testing all of the technologies listed above (or similar technologies) and more, as well as capabilities in the following areas: 1. SCA CADENCE CMS currently tracks approximately 230 systems in its system inventory. CMS maintains a rigorous pace of system security control evaluation throughout the fiscal year. The Center for Internet Security (CIS) has created a methodology of risk identification and prioritization of the top 20 high risk security areas for government and industry. Each system within CMS will have the CIS Top 20 Critical Security Controls (CSCs) - as well as some select CMS security and privacy controls - tested once per year by the Contractor. The Contractor will plan on a one (1) week "onsite" testing window for the vast majority of CMS systems and applications. However, CMS has also approximately 40 data centers for which ALL of the CMS/NIST 800-53 rev 4 security controls will need to be tested (not just the CIS CSCs). It is reasonable to assume that these larger environments and larger control sets will take two (2) weeks for the Contractor to complete the respective security assessment. The Contractor shall provide staff resources appropriately such that they are able to complete a total of 4 to 5 security assessments per week, allowing appropriate lead time when testing a larger data center. CMS estimates that the work defined in this SOW will require approximately 12 -15 fulltime staff to properly execute. 2. SCA CONTROL SET A typical security assessment shall consist of testing systems for effective implementation of the CIS Top 20 Critical Security Controls (CSCs), as well as some additional CMS security and privacy controls. Appendix A contains a list of the CIS Top 20 CSCs for reference. This sample list of tests is not all-inclusive, and, all tests listed may not be required for all assessments. The Contractor will work with the Business Owner, ISSO, and ISPG to determine which types of tests are required for each system and its respective assessment. 3. CDM INTEGRATION The CMS Continuous Monitoring and Enterprise Vulnerability Management Programs use the nCircle IP360 system to scan for vulnerabilities at about 80% of CMS systems and applications. The system collects and reports on vulnerability information on operating systems, databases, and applications. When applicable, the Contractor shall be able to request nCircle IP360 reports for analysis in determining vulnerabilities during infrastructure SCAs and as directed by the GTL. 4. APPLICATION TIER TESTING As part of the SCA, CMS requires that the Contractor place a strong emphasis on Application and Database security. This may include penetration testing with tools such as OWASP ZAP or Burp. An analysis of the application build process must also be performed and a source code analysis may be needed to supplement the security assessment. The type and degree of analysis performed will depend largely on the type of application being assessed. Legacy applications built using COBOL will require little or no source code review. However, new web services, APIs, and other custom applications may require static application security testing (SAST) and/or dynamic application security testing (DAST). 5. TEST DATA TRANSFER AND STORAGE The Contractor shall use the CMS internal system of record for security documentation, namely CFACTS, to store and share artifacts generated as a result of each assessment. CMS has implemented the CMS FISMA Control Tracking System (CFACTS), Trusted Integration's Agent software, as the tool that tracks security deficiencies, Plan of Action & Milestones (POA&M), and Corrective Action Plans (CAPs). All security controls tested and findings discovered during an SCA must be presented in a CFACTS Management Worksheet at the end of the assessment and as part of the Final SCA Package. Instructions/Requirements for Submitting SSN Responses to CMS: SUBMISSIONS IN RESPONSE TO THIS SOURCES SOUGHT ARE VOLUNTARY. THIS IS STRICTLY GOVERNMENT MARKET RESEARCH TO ASSIST IN DETERMINING THE APPROPRIATE ACQUISITION STRATEGY TO OBTAIN CONTRACTOR SUPPORT SERVICES DESCRIBED IN THIS NOTICE. THE CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) MAY OR MAY NOT ISSUE A REQUEST FOR PROPOSAL OR REQUEST FOR QUOTATION. RESPONSES TO THIS SOURCES SOUGHT NOTICE SHALL BE THE SUBMISSION OF A CAPABILITY STATEMENT, AND WILL NOT BE EVALUATED. CMS requests that respondents review the above overview and provide a capability statement that demonstrates the contractor's understanding of the requirements. In general, while this SSN is not a request for a technical proposal, respondents should provide enough information for CMS to make a determination as to the capability to perform the same or similar work. Specifically, Contractors are requested to provide specific examples of most recent experience as it relates to the requirements in this notice. Responses will be reviewed for content that demonstrates both capability and experience. Responses should include, at a minimum, the information identified in each of the following: 1. Business Information: a. Company Name; b. Company Address; c. D&B DUNS Number; d. Current GSA contracts/schedules and/or other GWACs or IDIQ contracts that your organization possesses that are appropriate to the requirements of this Sources Sought, including associated expiration dates (if applicable); e. Does your organization have a Government approved accounting system or will it have a Government approved accounting system by time of award? If your organization has a Government approved accounting system, please identify the agency that approved the system; f. Type of company (e.g., small business, 8(a), veteran-owned small business, service-disabled veteran owned small business, HUB Zone small business, small disadvantaged business, and women owned small business) as validated via the System for Award Management (SAM); g. Company Point of Contact (POC) name, phone and email address; and, h. POC, phone and email address of individuals who can corroborate the demonstrated capabilities identified in the responses; Teaming Arrangements: Firms seeking to respond to this notice as a team or to rely on subcontractors to perform any portion of the work must include the above-requested information and certifications for each entity on the proposed team or each proposed subcontractor. Responses must clearly indicate the nature of the teaming arrangement (i.e. Joint Venture, Mentor/Protégé, Subcontractor, etc.). Please note that in accordance with FAR 52.219-14, at least 50 percent of the cost of contract performance incurred for personnel shall be expended for employees of the small business concern. In the event of conflict between FAR clause 52.219-14 and 15 U.S.C. § 657s, for purposes of the limitations on subcontracting, CMS will follow 15 U.S.C. § 657s. 2. Describe your general overall knowledge and experience with (including examples), and/or ability to provide with teaming partners, the required SCA testing services described above, including the following: a. SCA Cadence b. SCA Control Set c. CDM Integration d. Application Tier Testing e. Test Data Transfer and Storage Interested parties having the capability and expertise necessary to perform the requirements outlined above are requested to submit capability statements via email to: david.fitton@cms.hhs.gov and dawn.wilkins@cms.hhs.gov on or before 2:00p.m. (EST) Thursday, January 12, 2017. Responses are limited to 15 pages only and should be submitted in a Word or Word-comparable document. Page size should be 8.5 by 11 inches, using 12 pt. font and standard margins. Additional Information: • Proprietary Information and Disclaimers: Respondents should identify any proprietary information in its SSN response. Information submitted in response to this SSN will be used at the discretion of the Government. Further, the information submitted will remain confidential insofar as permitted by law, including the Freedom of Information and Privacy Acts. CMS reserves the right to utilize any non-proprietary technical information in the anticipated SOW or solicitation. • Responses to the SSN are not offers and cannot be accepted by CMS to form a binding contract. CMS does not intend to award a contract on the basis of this SSN, or to otherwise pay for the information solicited. No reimbursement for costs will be made associated with providing information in response to this SSN or follow-up information request. • Respondents should be aware that this SSN is for market research purposes only and any responses submitted do not constitute a commitment by CMS to treat any offeror more or less favorably in any anticipated forthcoming solicitation and/or ultimate award. • Responses to the SSN will not be returned. All communications shall be by email. • Respondents will not be notified of the results of the review of the responses. • Although it is not necessary to address within capability statements, interested vendors and teaming partners, should be aware of any potential, actual, or perceived organizational conflicts of interests. Any real or potential conflicts must be sufficiently mitigated prior to contract award. For further guidance, refer to the Federal Acquisition Regulation, Part 9.5. • An organization that is not considered a small business under the applicable NAICS code should not submit a response to this notice. • This Sources Sought Notice is for information and planning purposes only and is not to be construed as a commitment by the Government. This Notice does not obligate the Government to award a contract, reimburse any costs associated with providing information or otherwise pay for the information provided in response. No proprietary, classified, confidential or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s). Any organization responding to this notice should ensure that its response is complete and sufficiently detailed to allow the Government to determine the organization's ability to provide the resources and knowledge to deliver the required services. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received, provide feedback to respondents with respect to any information submitted or be notified of the results of this evaluation. All information submitted in response to this announcement must arrive on or before the closing date.   Appendix A Security Controls in Scope CIS Critical Security Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/HCFA/AGG/HHSM-500-2017-RFP-0008/listing.html)
 
Place of Performance
Address: CMS, 7500 Security Blvd, Baltimore, Maryland, 21244, United States
Zip Code: 21244
 
Record
SN04365506-W 20170108/170106234015-24d9c79b393d79c06a654c940260fe68 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.