Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF MARCH 05, 2017 FBO #5581
SOURCES SOUGHT

D -- Login.gov Penetration Testing

Notice Date
3/3/2017
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
General Services Administration, Federal Acquisition Service (FAS), Assisted Acquisitions Services (WQA), 301 7th St SW Rm 6109, Washington, District of Columbia, 20407, United States
 
ZIP Code
20407
 
Solicitation Number
TTS(INFO)
 
Archive Date
3/25/2017
 
Point of Contact
Al Munoz, Phone: 2027344226
 
E-Mail Address
alberto.munoz@gsa.gov
(alberto.munoz@gsa.gov)
 
Small Business Set-Aside
N/A
 
Description
SOURCES SOUGHT NOTICE Penetration Testing and Red Team Services for LOGIN.GOV THIS IS NOT A SOLICITATION FOR PROPOSALS. THIS IS A SOURCES SOUGHT NOTICE ONLY for planning and information purposes. It shall not be considered as a request for proposal or as an obligation on the part of the Government to acquire any products or services. No entitlement to payment of direct or indirect costs or charges by the Government will arise as a result of responses to this notice or the Government's use of such information. No contract will be awarded as a result of this notice. Data submitted in response to this notice will not be returned. All submissions become Government property and will not be returned. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. The information provided in this notice is subject to change and is not binding on the Government. I. PURPOSE The General Services Administration is issuing this Sources Sought Notice on behalf of 18F to identify potential penetration testing providers who can support 18F's login.gov product. Login.gov provides simple and secure access to public-facing federal consumer services and information, while protecting consumer privacy. Login.gov is an open source, single sign on service for government that provides the public with a better customer experience and improved security, while offering the government cross-agency integration at lower costs. Login.gov encrypts the personal information of each user separately, using a unique value generated from each user's password. Login.gov implements the latest National Institute of Standards and Technology (NIST) standards for secure authentication and verification. Our plans for ongoing security include regular penetration testing and external security reviews. Individual accounts get two layers of security. Login.gov requires two-factor authentication as well as strong passwords that meet NIST requirements. Login.gov evaluates and implements new authentication methods as they become widely available to make sure that login.gov remains accessible and secure. Encrypting personal data separately means that login.gov cannot share any information with other government entities without users' permission. Database administrators cannot decrypt a user's personal information without the user's password. Additional information can be found at www.login.gov, and in login.gov's open source repository: https://github.com/18F/identity-idp. The 18F identity playbook, with additional information about the login.gov methodology, can be found at: https://pages.18f.gov/identity-playbook/. An overview of login.gov's security approach can be found at: https://pages.18f.gov/identity-pii-management/. The login.gov team follows the Digital Services Playbook: https://playbook.cio.gov/. The intended period of performance will be for a two to four week period beginning approximately April 2017. II. MANDATORY CRITERIA Information is being requested to identify potential sources that meet the following criteria: Evidence of previous and repeated performance providing penetration testing and red team services for one or more top-five technology companies, as currently defined by alexa.com. A brief description of the penetration testing methodology and red team approach employed by your company. A description of a standard Operations and Red Team makeup deployed by your company, including position titles, descriptions, and roles. A proposed timeline of services, including expected needs for preparation, execution, and reporting. A description of any outcomes, assessments, recommendation, or other documentation your company would provide. III. DESCRIPTION OF SERVICES The following is a high level overview of the red team services to be performed: Active penetration testing of live systems and networks. Target acquisition, inventory, probing, penetration, host-based assessment, and operational integration related to remote account registration, identity proofing, account management and other flows used by public users registering for government services and benefits. Targeting of relying parties, credentials, session tokens, private information for arbitrarily identified users, private keys in use for TLS, jump box credentials, database credentials, permissions or schema, and more. Reports detailing, at a minimum, vulnerabilities, impact assessment, and recommended remediation. IV. INSTRUCTIONS FOR RESPONDING TO THIS RFI This is an information gathering exercise to identify potential sources and to help develop the requirements and the acquisition strategy for the Login.gov services. CONFIDENTIALITY: No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s). Response Format/Page Limitations: The overall total page limit for responses to this RFI is two (2) double-sided pages; or a total of four (4) single-sided pages. Responses should be submitted in Microsoft Word or PDF format. Responses should be complete and sufficiently detailed. Please do not submit marketing material. Responses should include the following information: A - GENERAL INFORMATION A1. Company Name/Address/Contact Information and DUNS number; A2. Business size/classification;and A3.Identify any GSA schedules or other existing contract vehicles your firm holds that supports the work described in this RFI. B - CAPABILITY AND EXPERIENCE INFORMATION B1. Describe your firm's level of experience and qualifications, or potential to acquire capability, to support Login.gov's penetration testing needs. B2. Describe your firm's ability to meet the mandatory criteria in Section II above; and B3. Provide examples of your firm's experience supporting the migration of applications from a managed data center to a cloud-based hosted environment. C - COMMENTS AND FEEDBACK C1. Identify small business contracting and subcontracting opportunities. C2. Based on your review of the RFI, what contract type do you recommend and why? C3. Provide comments/suggestions and/or insights you may want the government to consider.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/notices/15023efdc9d65d54b9fc64fdc0dc0529)
 
Record
SN04422808-W 20170305/170303235205-15023efdc9d65d54b9fc64fdc0dc0529 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.