Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF JULY 23, 2017 FBO #5721
DOCUMENT

70 -- TAC-17-42241 Security Remediation, PLEASE DISREGARD SOURCES SOURE VA118-17-N-2342 - Attachment

Notice Date

7/21/2017
 

Notice Type

Attachment
 

NAICS

541519 — Other Computer Related Services
 

Contracting Office

Department of Veterans Affairs;Technology Acquisition Center;23 Christopher Way;Eatontown NJ 07724
 

ZIP Code

07724
 

Solicitation Number

VA11817N2347
 

Response Due

7/28/2017
 

Archive Date

8/27/2017
 

Point of Contact

Raymond Mesler
 

Small Business Set-Aside

N/A
 

Description

REQUEST FOR INFORMATION/SOURCES SOUGHT PLEASE DISREGARD SOURCE SOUGHT NUMBER VA118-17-N-2342 This RFI is for planning purposes only and shall not be considered an Invitation for Bid, Request for Task Execution Plan, Request for Quotation or a Request for Proposal. Additionally, there is no obligation on the part of the Government to acquire any products or services described in this RFI. Your response to this RFI will be treated only as information for the Government to consider. You will not be entitled to payment for direct or indirect costs that you incur in responding to this RFI. This request does not constitute a solicitation for proposals or the authority to enter into negotiations to award a contract. No funds have been authorized, appropriated or received for this effort. Interested parties are responsible for adequately marking proprietary, restricted or competition sensitive information contained in their response. The Government does not intend to pay for the information submitted in response to this RFI. Scope of Work The Department of Veterans Affairs (VA) is conducting market research across industry to identify existing commercial-off-the-shelf (COTS) product solutions and services to identify, report and support remediation of MUMPs software security vulnerabilities in the Veteran s Information System and Technology Architecture (VistA) VistA is the integrated administrative, financial, business, and clinical system supporting VA s operations. Current Environment VistA is a fully integrated system comprising 181 clinical, financial, and administrative applications integrated within a single database, such that there is only one single authoritative version of any data that all applications use. The VistA database is the Congressionally-mandated single source of truth for Veteran information, and is required to be accessible and usable for the lifetime of the Veteran. The clinical component of VistA (analogous to an Electronic Health Record (EHR)) represents only 50% of VistA s functionality. There are 130 VistA systems in production across the U.S. supporting over 1,200 Veterans Health Administration hospitals and clinics. Each VistA instance is composed of over 2,700 files, 64,000 data fields, 1,300 print templates, 9,100 options structured across 1,700 menus, 3,300 remote procedure calls, 38,000 routines, and 4.7 million lines of code. Each system has some local variation of all of these artifacts. VistA is based on MUMPS (the Massachusetts General Hospital Utility Multi-Programming System, abbreviated as M ), the industry-standard database technology in healthcare. All Federal healthcare systems are based on M (Indian Health Service (IHS), Defense Health Agency (DHA), Veterans Health Administration (VHA)); in the private sector more than 50% of all U.S. hospitals are based on M. The virtue of M is that all the data and code are tightly integrated in a single environment, making highly reliable, highly performant, tightly integrated transactional systems. However, this tight integration of code and data can also create challenges if not properly managed. VistA includes Class I application that has been consolidated to a national standard and many locally-developed applications code at each location designated as Class III applications. All Class I and Class III applications must be evaluated for security vulnerabilities. The 130 VistA systems also vary in local configuration which may be hard coded in MUMPS. These localizations must also be evaluated. Security Issue Identification Support The proposed product must identify security vulnerabilities in VistA M code. VA has documented about 20 specific issues (section IV below) to be identified in M code. VA anticipates the catalog of issues to grow. The MUMPs Security Scanning tool must provide a ruleset of security issues. This ruleset must be extensible to support VA documented issues. Additionally, the ruleset should associate with each rule the standards and regulations that provide the basis and explanation of the rule. After scanning VistA M code, the tool will report identified vulnerabilities. Reported vulnerabilities must reference the M code containing the issue, the location of the code and the relevant rule s basis and explanation. Scanning Process Support VA anticipates the security scanning to start by identifying security issues in a VistA instance that is the national gold standard. Identified security vulnerabilities must be cataloged and given unique identifiers. VA further anticipates that each of the 130 potentially unique instances of VistA will be scanned incrementally. Security vulnerabilities identified in previous scans should be referenced so that duplicate reports are not created. New vulnerabilities should be added to the reports with unique identifiers. The MUMPS Security Scanning tool output will be provided as input to a separate MUMPS security remediation team. The MUMPS Security Scanning tool should provide information to allow VA to manage this separate remediation process. This should include both high-level summary reports of security issues grouped by severity or type with the number of instances of the issue identified. The tool should also allow users to view security issues affecting individual VistA instances, and conversely, the instances identified with each security issue. Further, the scanning tool should identify changes in instances as they are rescanned over time allowing the VA to demonstrate progress in remediation. The process of scanning and reporting should be automated as much as feasible to ensure managing the security scanning is sustainable. Business Process Support VA anticipates the MUMPs Security Scanning tool will identify security vulnerabilities in M code for remediation. Further, VA anticipates that the affected M code may be used by multiple business processes, and conversely, that business processes may contain code with multiple issues. Therefore, the MUMPs Security Scanning tool must be able to map the business process through the logical path in the M code to allow each single business process to be efficiently remediated as a logical unit of work such that business disruption does not occur during remediation (i.e. remediate all issues in an business process at one time). Identified Issues must be exportable in a standard digital format such as XML or CSV such that they can be imported into an issue tracking system. Extended Services VA expects basic services such as: Installation of the tool on VA provided infrastructure Configuration of the tool to analyze VistA instances System administration of tool to ensure its ongoing effective operation Application of the tool to identify security issues Technical support of the tool VA anticipates the need for the following extended services: Application and operation of the tool by Subject Matter Experts to apply the security ruleset to the VistA instances Mentoring of the tool with VA personnel in its application to the VA environment and this work effort. Continuous expansion of the security ruleset based on input and approval from VA. Continuous application of updated security rulesets to the queue of VistA instances Capture of the business process flow (modelling) revealed by the tool Extend the tools analysis of additional VistA components based upon input and approval from VA. Continuous improvement of the reports and/or dashboards to support understanding of the volume and location of issues identified by application, business process or VistA instance Training of up to 10 people per quarter Technical Background VA requires a commercial off the shelf (COTS) tool to assist in Identifying and reporting VistA M code security vulnerabilities. This tool is necessary to progress VA s VistA Security Remediation (VSR) projects. Industry feedback is requested to assist VA to identify COTS tooling to achieve the desired objectives as indicated by the referenced requirements. Priority The VSR project is a top priority for VA. VA has selected a COTS EHR and anticipates that for a transition to be successful, the VSR effort must be executed to have a standard VistA baseline from which to integrate and later migrate. RFI Response Your response must include the following: Provide a completed excel spreadsheet indicating whether your product fully meets, partially meets, or does not meet some or all of the stated VistA MUMPS Security Scanning Tool requirements. Please use the spreadsheet included in this RFI release for capture of your product s alignment to the stated requirements. No other method for this mapping will be accepted. Security Issue Identification Requirements Identify IP addresses and patterns. Identify WWW references and patterns. Identify HTTP references and patterns. Identify HTTPS references and patterns. Identify port opening and closing references and patterns. Identify Social Security Number references and patterns. Identify copyrights. Identify all OPEN commands. Identify all CLOSE commands. Identify direct SET of the DUZ variable array. Identify direct calls to the Linux or Windows operating system. Identify embedded keys. Provide the capability to retrieve additional patterns to be discovered within the code by means of an externally managed file. Provide Vulnerability ID s (V-Key) that are correlated with the most recent Federal security mandates, policies and guidance (NIST, FISMA, HIPAA, etc). Provide timely updates to ensure the accuracy of the V-Key correlation. Provide a reporting capability and outputs in configurable XML, CSV and other common ingestible formats. Store findings, logs and metadata utilizing current FIPS 140-2 approved cryptographic methods. Assess Security implications while handling errors (error handling response). Scanning Process Support Requirements Report security issues in gold image VistA. Report security issues in deployed VistA systems. De-duplicate security issues in multiple images so that the same issue in multiple deployments is not reported as unique issues. Support rescanning of VistA instance and reconcile issues against previous scan. Business Process Support Requirements Identify location of security issues by routine, application, business process and VistA instance. Provide summary report of security issues by business process, application or routine. Provide detail report of security issues grouped by business process, application or routine. Provide a user interface to allow user to explore relationships between routines, applications and business processes. Extended Support Requirements Provide basic support as described. Provide extended support as described. For the following questions 1 6, please provide a response that is no more than 5 pages: Provide a product description that describes HOW your product (fully or partially) meets the stated requirements, and which aligns to the completed spreadsheet. Please include: a description of the VA environment that would be required to host this product and/or if the product is available in a cloud environment. Whether the product is 508-compliant. Whether the product is VA Technical Reference Model (TRM)-approved. Provide product pricing for: An annual subscription license. Any related peripheral maintenance/support/enhancement services. Provide a description of the pricing model to allow understanding of how pricing is determined. Provide product pricing for basic services described above. Provide product pricing for extended services described above. Provide any information regarding product access, whether via direct purchase or through a reseller, via General Services Administration (GSA) contracts, System for Enterprise Wide Procurement (SEWP), other Government-Wide Acquisition Contract (GWAC) vehicle(s), and/or VA contract vehicles to which you have access in your response. Identify current clients who have procured the product and/or are using the product in a limited demonstration mode. Specific examples or references provided must include the agency, point of contact, dollar value, and contract number, as applicable. Identify whether your product is accessible via SDVOSB/VOSB firms. Responses are due to: Raymond Mesler, Contract Specialist Raymond.mesler@va.gov no later than 1:00 PM EST on July 28, 2017. Electronic submission via email is requested. Response shall include company information, including socio-economic size, and DUNS number and CAGE code. See attached document: VA VistA MUMPS Security Scanning Tool Requirements_for RFI.
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/notices/c19784f258094a280c0875729a20e77a)
 

Document(s)

Attachment
 

File Name: VA118-17-N-2347 VA118-17-N-2347.docx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3679563&FileName=VA118-17-N-2347-000.docx)

Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3679563&FileName=VA118-17-N-2347-000.docx

 

File Name: VA118-17-N-2347 VA VistA MUMPS Security Scanning Tool Requirement for RFI.xlsx (https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3679564&FileName=VA118-17-N-2347-001.xlsx)

Link: https://www.vendorportal.ecms.va.gov/FBODocumentServer/DocumentServer.aspx?DocumentId=3679564&FileName=VA118-17-N-2347-001.xlsx

 

Note: If links are broken, refer to Point of Contact above or contact the FBO Help Desk at 877-472-3779.
 

Record

SN04589498-W 20170723/170721234350-c19784f258094a280c0875729a20e77a (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |