Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF AUGUST 12, 2017 FBO #5741
SOLICITATION NOTICE

D -- DB2 Security Services and PBX Security Review - RFQ Document

Notice Date
8/10/2017
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
Federal Reserve, Board of Governors, Procurement (DFM), 20th Street and Constitution Ave, NW, Washington, District of Columbia, 20551, United States
 
ZIP Code
20551
 
Solicitation Number
201700454
 
Archive Date
9/2/2017
 
Point of Contact
Jay Khandekar, Phone: 2027365674
 
E-Mail Address
jay.khandekar@frb.gov
(jay.khandekar@frb.gov)
 
Small Business Set-Aside
N/A
 
Description
Statement of Work and evaluation criteria <img src="file:///C:\Users\m1jsk02\AppData\Local\Temp\msohtmlclip1\01\clip_image002.gif" alt="BOG_seal" width="75" height="68" /> THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM REQUEST FOR QUOTE This is Request for Quote (RFQ) from the Board of Governors of the Federal Reserve System (the Board). The Board requests a firm-fixed-price quote by 4:00 P.M. EST on Friday, 18 August 2017 to provide the supplies described in the Statement of Work (SOW) below. QUOTE REQUIREMENTS Quotes shall contain the following: 1. Price quote: Provide a firm-fixed-price quote for the services as described in the Statement of Work. 2. Technical Specifications: Provide specifications of the items, warranty period (if any), and delivery terms (if any). EVALUATION The Government shall issue a purchase order resulting from this RFQ to the responsible quoter whose quote, conforming to the RFQ, represents the lowest-priced-technically-acceptable (LPTA) quote. COVERED COMPANY PREFERENCE If a covered company, as defined below, is among the quoters whose price is being evaluated for the items set forth in this RFQ, the price will be adjusted as described in paragraph 1, below. The adjusted price will be used when evaluating quotes as described above. 1. Except for the acquisitions described in paragraph 2, below, if a covered company submits a responsive quotation, the Contracting Officer shall, for evaluation purposes, add to each noncovered company’s proposal the following factor(s): three percent (3%) of the first $500,000, plus one percent (1%) for any amount of the quote that exceeds $500,000. After applying this price adjustment, the Contracting Officer will evaluate the proposals and award the purchase order as provided above. 2. No price adjustment will be calculated in any of the following acquisitions, even if a covered company is a bidder: (1) the value of the contract is equal to or less than $100,000, (2) the acquisition is a set-aside under the Board’s Small and Disadvantaged Business Acquisition Policy, (3) the covered company has executed a waiver of the price preference, (4) price is not a factor in the evaluation, or (5) the contract is being awarded pursuant to the Trade Agreements Act or another international agreement. A “covered company” means a firm qualified as a small business concern under the Small Business Act (15 U.S.C. § 632) and regulations thereunder, including (1) business concerns that meet the size eligibility standards set forth in 13 C.F.R § 121; (2) small business concerns owned and controlled by veterans or service-disabled veterans as defined by 15 U.S.C. § 632(q); (3) qualified HUBZone small business concerns pursuant to 15 U.S.C. § 632(p) and 13 C.F.R § 126; (4) socially and economically disadvantaged small business concerns as defined by 15 U.S.C. § 637 and certified as such under 13 C.F.R. § 125; and (5) small business concerns owned and controlled by women as defined by 15 U.S.C. § 632(n). QUESTIONS Questions regarding this RFQ shall be submitted in writing by Tuesday, 15 August 2017 via e-mail to Jay Khandekar at jay.khandekar@frb.gov. SUBMITTAL INSTRUCTIONS Quotes may be only e-mailed directly to jay.khandekar@frb.gov ; the sole designated E-mail address and inbox for receipt of E-mail submissions. No other electronic means of submission, used in whole or in combination with E-mail, is permitted. No other method of submission is acceptable. E-mail quotes shall be in either Adobe or Microsoft Office format. Quoters are advised that the Government may be unable to receive other types of electronic files (e.g.,.zip files) or files in excess of 20 megabytes. To be timely, an E-mail quote must be received in its entirety in the designated E-mail inbox by the due date and time for quote submission. Statement of Work Title: Mainframe Penetration Testing, DB2 Security Services and PBX Security Review Quote required by: Friday, 18 August 2017 at 4:00 P.M. EST Contracting Point of Contact: Jay Khandekar, 202.736.5674, jay.khandekar@frb.gov STATEMENT OF WORK Mainframe Penetration Testing, DB2 Security Services and PBX Security Review C.1 BACKGROUND The Board of Governors of the Federal Reserve System (“Board”) performs security reviews of the Board’s information technology infrastructure annually in order to comply with the Federal Information Security Management Act (“FISMA”). In the case of the Mainframe, DB2 and PBX systems, the Board seeks an outside consultant specialized in those technical areas to perform the required security review, also known as penetration test (“pentest”). C.2 SCOPE OF WORK The scope of work is primarily divided into three areas, Mainframe, DB2 and PBX, as more fully described in Sections C.3 to C.5 below. C.3 Mainframe 3.1 For this task, the Contractor shall perform pentest of the Board’s mainframe using the Contractor’s choice of methodology. During the performance of the pentest on the Board’s mainframe, the Contractor shall ensure that under no circumstances may the activities impact the performance and/or operations of the Board’s mainframe environment. The scope of the environment to be covered by Section 3.1 includes the following: · One z/OS mainframe o Version 2.1 o ACF2 v.15 o VSAM master files and DB2 The Contractor shall perform specific tasks as requested by the Board which shall include, but not be limited to, the following: 2.1.1 Evaluate the security controls of the Board’s z/OS Version 2.1 system configuration and ACF2. 2.1.2 Evaluate access points to the Board’s z/OS system. Verify that interfaces are properly configured. 2.1.3 Review the current I.C.U…MVS installation and verify valid efficient software placement, allocation, authorizations, and accessibility. 2.1.4 Evaluate transaction processing environment configuration and security controls. 2.1.5 Review mitigation of previous assessment findings if applicable. 2.1.6 Perform technical tests identified in NIST SP 800-53A or DISA STiGs. 2.1.7 Evaluate security controls at boundaries between test, development and production 2.1.8 Review the I.C.U…MVS reports and make recommendations on possible improvement. 2.1.9 Examine the data contained within the MVS environment to determine what information related to mission critical business is vulnerable to exposure. 2.1.10 Analyze the security posture of the ACF2 environment and examine MVS, look at the access control environment residing on MVS, and move beyond these to determine what data might be exposed to inadvertent or intentional misuse. 2.1.11 Determine if information that sits in storage as well as what data resides in memory may be exposed inadvertently. Examine various ways of subverting the access control structure and determine what problems exist. 2.2 The Contractor shall be responsible for providing the following deliverables, at a minimum: 2.2.1 A high-level debrief at the conclusion of the work. 2.2.2 Executive Summary in writing. 2.2.3 Methodology described in writing. 2.2.4 Provide detailed documentation, in writing, to prove all the findings and each finding shall include the following information, at a minimum: 2.2.4.1 General description of the finding. 2.2.4.2 Risk assessment: High, Medium or Low. 2.2.4.3 Ease of fix: Easy, Moderately Difficult, Very Difficult or No Known Fix. 2.2.4.4 Estimated work effort: Minimal, Moderate, Substantial, Unknown or Time estimate. 2.2.4.5 Detailed in-depth description. 2.2.4.6 Suggested remediation. 2.3 The Contractor’s assigned consultant must have at least 15 years of experience in the related mainframe areas and experience in performing similar tasks. 2.4 This task should be completed in no more than 21 labor days. C.4 DB2 2.5 This task will require the Contractor to examine and analyze the overall DB2 installation to evaluate the basics of the Board’s DB2 installation and perform a root analysis of the implementation. The Contractor shall focus on individual problem areas rather than begin a series of “stovepipe” examinations. The Contractor will evaluate the configuration of DB2 and identify any weakness as well as any vulnerability. During the performance of the work required under Section C.4, the Contractor shall ensure that under no circumstances may the activities undertaken impact the performance and/or operations of the Board’s DB2 environment. 2.6 The Contractor shall deliver a detailed written report of its analysis to the COTR and advise the Board on any additional work the Board should undertake based on its analysis and the Board’s DB2 information security priorities and risk management goals. 2.7 The Contractor’s assigned consultant must have at least 15 years of experience in the related DB2 on mainframe areas and experience in performing similar task. 2.8 This task should be completed in no more than 32 labor days. C.5 PBX 5.1 This task requires the Contractor to evaluate security controls employed by the Board to protect its unified communications voice network infrastructure through the assessment of exposures related to Avaya Communication Manager servers, Meeting Exchange Enterprise servers, Aura Messaging servers, Aura Application Enablement Services (AES) servers, Call Management System servers, Aura Session Manager servers, Aura System Manager servers, Aura Conferencing (AAC) servers, VeraSMART eCAS and Avaya G450, G650 and Secure Access Link Gateways, applicable and accessible Linux operating systems and software configuration for the following : 5.1.1 Eight (8) Avaya Communications Manager (CM) servers running version 6.3 software: Including six (6) Communications Manager servers in the Production Environment and two (2) CM servers in the Contingency Environment. Included are main CM, ESS and LSP servers. The additional Linux vulnerability review includes (if accessible) the eight (8) Physical servers (Dom0) and the thirty (30) total virtual machine domain environments (Cdom, ServicesDomain, Utility Server, Branch Session Manager, and Communication Manager) for a total of thirty-eight (38) hosts for all CM physical or virtual servers in scope. 5.1.2 Six (6) Avaya Aura Messaging Servers: Including three (3) Aura Messaging servers in the Production Environment and three (3) Aura Messaging Servers in the Contingency Environment. The Linux vulnerability review includes the six (6) physical Servers (dom0) and the eighteen (18) total virtual machine domain environments (Cdom, ServicesDomain, and Avaya Aura Messaging) for a total of 24 hosts for all Aura Messaging physical or virtual servers in scope. 5.1.3 Three (3) Avaya Application Enablement (AES) servers: Including two (2) AES VM servers in the Board’s Production Environment and single AES VM server in the Contingency Environment. Included are the Application configuration layers in Management Console, System Platform’s web console and Linux operating system. The Linux vulnerability review includes the three (3) physical Servers (dom0) and seven (7) different virtual machine domain environments (Cdom, ServicesDomain, and AES) for a total of ten (10) hosts for all AES servers in scope. 5.1.4 Three (3) Avaya Aura System Manager servers, two (2) in the Board’s Production Environment and one (1) in the Board’s Contingency Environment. Included are the server application layers and the Linux vulnerability review, including the two (2) physical Servers (dom0), 1 VMWare server, and six (6) different virtual machine domain environments (Cdom, ServicesDomain, and SM) for a total of nine (9) hosts for all SM servers in scope. 5.1.5 Seventeen (17) Avaya Aura Conferencing (AAC) servers running version 8.0 software: Including thirteen (13) Servers in the Production Environment and four (4) Automatic Disaster Recovery (ADR) servers in the Contingency Environment. Included are application, Media, Web, Document Conversion, and Recording Servers, and the Linux vulnerability review. 5.1.5.1 Two (2) Avaya Aura Session Manager servers, one in each of the Board’s Production and Contingency Environments. Included are the server application layers and the Linux vulnerability review, including the two (2) physical Servers (SM) and two (2) different virtual machine domain environments (SM-100) for a total of four (4) hosts for all AES servers in scope. 5.1.5.2 One (1) Avaya Meeting Exchange Client Registration server. Included are the server application layers and the Linux vulnerability review, including the one (1) physical Server (dom0) and two (2) different virtual machine domain environments (Cdom, ServicesDomain); the Windows vulnerability review includes one (1) virtual machine environment (MX CRS) for a total of four (4) hosts for all Client Reservation servers in scope. 5.1.5.3 One (1) Avaya Web Portal server. Included are the server application layers and the Linux vulnerability review, including the one (1) physical Server (dom0) and three (3) different virtual machine domain environments (Cdom, ServicesDomain and MX WP) for a total of four (4) hosts for all Web Portal servers in scope. 5.1.6 One (1) Avaya Meeting Exchange S6200 Media Server. Included are the server application layers and the Linux vulnerability review, including the one (1) physical server. 5.1.6.1 One (1) Avaya Web Conferencing server. Included are the server application layers and the Linux vulnerability review, including the one (1) physical Server (dom0) and two (2) different virtual machine domain environments (Cdom, ServicesDomain); the Windows vulnerability review includes one (1) virtual machine environment (MX AWC) for a total of four (4) hosts for all Web Conferencing servers in scope. 5.1.7 One (1) Avaya Call Management System (CMS) VMWare Server. Included are the server application layers and the Linux vulnerability review, including the one (1) virtual machine domain environment for the VMWare server reviewed. 5.1.7.1 Two (2) Avaya Secure Access Link (SAL) Gateways on VMWare. Included are the server application layers and the Linux vulnerability review, including the two (2) virtual machine environments for VMWare reviewed. 5.1.8 Seven (7) Avaya G650 Media Gateways 5.1.9 Twenty-nine (29) Avaya G450 Media Gateways 5.1.9.1 VeraSMART eCAS Call Accounting application configuration review of Call Detail Recording on VMWare, Included are the server application layers and the windows server vulnerability review, including the one (1) virtual machine environment for VMWare reviewed. 5.2 In performing this work, the Contractor will be required to complete the following tasks, at a minimum: 5.2.1 Review the applicable Linux operating systems and software security control configurations for an Avaya Communications Manager (CM) environment, as specified in the section 5.1 above, for sufficiency of existing security controls, susceptibility to hacking techniques and employee misuse, and report the results of the analysis using the standard High, Moderate and Low risk ratings. 5.2.2 Review and incorporate the applicable telecommunications policies, procedures and practices into this customized analysis process, enabling the establishment of specific corrective actions for policy variances as well as the documentation of specific approved variances. The spirit of this review is to discover whether the Avaya Aura environment has been implemented and configured in a secure manner and to identify where particular features or functions are enabled that may put the Board at risk, as well as defining variations from organizational policy. These results will be entered into a customized report. This information associated with the Avaya voice network environment will identify system vulnerabilities, recommend specific corrective actions, and outline industry best practices as well as policy deviations and approved variances. 5.2.3 Review current Avaya Aura Communications environment configurations in both production and contingency environments and compare to the 2015 Security Assessment findings if applicable. All risk mitigating corrective actions and partial corrective actions employed by the Board since the previous assessment will be documented. 5.2.4 Prepare and deliver system specific, milestone draft reports which will include findings, specific supporting configuration data, significance of the vulnerability to the Board’s communications network, and recommendations for correcting the vulnerability. The contractor will conduct checkpoint conference calls with the Board’s designated project leaders and/or administrators responsible for the assessment review. The purpose of these checkpoints will be to discuss preliminary findings, resolve any open issues or policy questions that may have developed, and establish specific corrective actions and approved variances. A final draft will be delivered which will incorporate refinements from checkpoint conference calls. 5.2.5 Prepare and deliver a matrix of findings which will describe server vulnerabilities and risk ratings, facilitating documentation of remediation or acceptance by Board project staff. 5.2.6 After the respective corrective action remediation on the software has been completed by the Board’s personnel, upon request, the contractor will discuss these system configuration changes with Board personnel to verify that the appropriate corrective actions recommended during the initial assessment have been adequately addressed. 5.3 The security assessment report will detail the technical security shortcomings or vulnerabilities found in the access controls, services and system software configurations of the equipment examined. Each finding of vulnerability is categorized by the potential level of impact that could be expected, and weighing the likelihood that a motivated adversary (e.g., hacker, competitor, disgruntled employee) could succeed in exploiting the vulnerability. For each of the vulnerabilities identified, the contractor will provide a proven, actionable recommendation for its closing or mitigation. The best practice recommendations for addressing the listed vulnerabilities combine industry knowledge, manufacturer recommendations or suggested product policy controls, NIST guidelines, FIPS recommendations and knowledge of hacker and toll theft techniques. 5.4 The level of effort described below corresponds to the security assessment of the Board’s Avaya Aura Unified Communications environment server and gateway configurations and applicable policy, practices and procedures review. Specifically, this level of effort addresses manual security assessment of forty-nine (49) total physical or VM servers, thirty-eight (38) total gateways and one hundred nineteen (119) total host vulnerability assessments, depending on configuration and availability. Included is the analysis and documentation of gaps between policy and applicable server and software configurations, and recommendations to bring configurations into compliance with Board policies. A Board recommended Summary of Findings matrix will be provided. Also included is the review and documentation of applicable corrective actions employed since the 2015 Security Assessment findings if applicable. 5.5 This task should be completed in no more than 65 labor days. C.6 PLACE AND PERIOD OF PERFORMANCE 6.1 Place of Performance. The Contractor shall perform all data collection work in the Board’s New York Avenue building, located at 1709 New York Ave, NW, Washington, DC unless otherwise agreed to by the COTR in writing. 6.2 Period of Performance. The Contractor shall complete all work and provide all required deliverables no later than December 15, 2017. 6.3 Unless the Board expressly authorizes otherwise in writing, the Contractor shall perform all work during the Board’s customary working hours, which are 7:00 a.m. through 6:00 p.m., Monday through Friday. During the course of the engagement there may be times when contractors will be required to work overtime, which may include working outside the normal working hours and/or working on Saturday and/or Sunday. Any such off-hours work will not affect the Contractor’s firm fixed-price proposal to perform this work. 6.4 The Board will not provide parking for contractor personnel. The Board has a cafeteria on-site which contractor personnel will be able to use. 6.5 The Board observes the following holidays: New Year’s Day, Inauguration Day, Martin Luther King Jr.’s Birthday, President’s Day, Memorial Day, Independence Day, Labor Day, Columbus Day, Veterans Day, Thanksgiving Day, and Christmas Day. The Contractor may perform work on these days, subject to the COTR’s prior notification and written approval. C.7 DIVISION OF RESPONSIBILITY The Board will provide or have others provide office space for the Contractor in the Board’s New York Avenue building, as needed, including a desk, telephone line, desktop computer, and other amenities necessary for performing the required services. C.8 PROJECT MEETINGS Special Meetings. The Board reserves the right to schedule special meetings during the course of the work, as required, to address matters that cannot be satisfactorily resolved by other means. Such meetings will be held at the Board’s offices. C.9 CONDUCT OF CONTRACTOR PERSONNEL The Board reserves the right to deny entry or access to its premises to any Contractor personnel whose presence, dress, or conduct the Board deems detrimental to the good order and productivity of its operations and staff. Such personnel shall be replaced by the Contractor immediately upon notification by the COTR, or his designee, that a problem exists. This replacement shall be made at no additional cost to the Board. C.10 CONTRACT CLOSEOUT 10.1 Final Acceptance. The Contractor shall request, in writing, that the COTR acknowledge final acceptance of a phase, or of the project as a whole, when all of the conditions for completion of the phase or project have been satisfied, and the Contractor has corrected any defects or omissions. 10.2 On receipt of a request for final acceptance, the COTR will either provide written certification of such acceptance or advise the Contractor of any unfulfilled requirements that must be met before a phase or the project can be considered complete and eligible acceptance. If the Contractor is advised of any unfulfilled requirements, it must work to meet the unfulfilled requirements and/or correct outstanding deficiencies and re-submit a request for final acceptance demonstrating it has met all unfulfilled requirements and corrected any deficiencies. The COTR will provide written certification of acceptance upon being satisfied that all unfulfilled requirements have been met and/or deficiencies corrected.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/notices/0a9d6718829bc224183525e60bdc21d1)
 
Record
SN04623924-W 20170812/170810232944-0a9d6718829bc224183525e60bdc21d1 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.