Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF JULY 02, 2021 SAM #7153
SOURCES SOUGHT

D -- Payment Card Industry Data Security Standard (PCI DSS) Compliance

Notice Date
6/30/2021 1:44:37 PM
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
DEFENSE COMMISSARY AGENCY FORT LEE VA 23801# USA
 
ZIP Code
23801#
 
Solicitation Number
HQC007-21-Q-1RFI
 
Response Due
7/14/2021 1:00:00 PM
 
Archive Date
01/01/2022
 
Point of Contact
Heather Jarratt, Phone: 804734800086302, Beverly Summerson, Phone: 804734800048524
 
E-Mail Address
heather.jarratt@deca.mil, beverly.summerson@deca.mil
(heather.jarratt@deca.mil, beverly.summerson@deca.mil)
 
Description
**Must be US Citizens** Request for Information This notice is to see if there are Small Business Certified 8(a) vendors who are capable of providing DeCA's requirement for Payment Card Industry Data Security Standard (PCI DSS) Compliance, as detailed below.� If your organization is capable of providing the full scope of the requirement, please submit your Point of Contact (POC) information to April Brewer, email: april.brewer@deca.mil,�no later than�the notice response date/time.� POC information shall include:� Name, Email Address, and Phone Number. NOTE:� Questions will not be accepted at this time.� The purpose of this notice is to collect market research, and understand capabilities available in the industry for the subject requirement.� Payment Card Industry Data Security Standard (PCI DSS) Compliance Assessment The contractor shall assess DeCA�s environment as a Level 1 merchant annually for compliance with the intent and nature of the current PCI DSS published by the PCI Council. The assessment must be conducted by a Qualified Security Assessor (QSA) (employee and company) in good standing with the PCI Council.� QSA companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity�s adherence to PCI DSS.� QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements.� The contractor shall ensure the assessment is performed in compliance with current PCI DSS requirements and QSA standards. The contractor shall work with the project manager to identify facilities that are within the scope of the assessment and coordinate site visits prior to travel.� In addition, this task requires the contractor(s) assigned to hold a background investigation required for IT-III access.� Penetration Test The penetration test service will be used to assess the security posture of the DeCA network.� The entire network is in scope; testing will be done at the network and application layer.� The objective of a network penetration test is to determine if the current network security controls are vulnerable to an attack from an entity that has gained access to the network either physically or virtually and satisfy the penetration testing requirements within the PCI DSS.� Internal testing is used to validate security policy and development standards by attempting to identify how resilient the internal network is to attacks.� Two Penetration tests will be conducted annually for each option year. Testing must be in accordance with the requirements in the PCI DSS and the current Information Supplement:� Penetration Testing Guidance published by the PCI Council in order to satisfy DeCA�s annual requirements.� In addition, this task requires the contractor(s) assigned to execute this task to hold a background investigation required for IT-II (and possibly IT-I) access.� The contractors executing the penetration test must hold at least 2 of the following penetration testing certifications in good standing: ? Offensive Security Certified Professional(OSCP) ? Certified Ethical Hacker (CEH) ? Global Information Assurance Certification (GIAC) Certifications (e.g., GIAC Certified Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), or GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)) ? CREST Penetration Testing Certifications ? Communication Electronic Security Group (CESG) IT Health Check Service (CHECK) certification External Vulnerability Scanning The external vulnerability scanning service will be used to assess the security posture of external or Internet facing systems within the DeCA network to satisfy PCI DSS requirements.� The scanning service must be conducted by an Authorized Scanning Vendor to comply with the PCI DSS.� An ASV is an organization with a set of security services and tools (�ASV scan solution�) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor�s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC�s List of Approved Scanning Vendors.� All external or Internet facing systems on the DeCA network will be scanned on a monthly basis with this service.� This service will be used to produce four passing quarterly vulnerability scans for DeCA�s external facing systems, as required by the PCI DSS.� In addition, this task requires the contractor(s) who have access to view this data to hold a background investigation required for IT-III access. Portal Real-time status of services being performed, requirements, DeCA's state of compliance, and the ability for DeCA personnel to manage Approved Scanning Vendor (ASV) scans, re-scans, submittal for quarterly attestation, and scan results, Qualified Security Assessor (QSA) assessment documentation and results, and penetration testing and results shall be provided via a secure website.� The portal hosting annual PCI DSS artifacts, assessment results,� Report on Compliance, and penetration test results shall be provided via a secure website (approved for storage of DoD Controlled Unclassified Information per DoD requirements).� This website should provide DeCA personnel access to the current status of their scans, scanning vulnerability status, to include launching re-scans and submitting mitigations, annual assessment, and penetration testing activities.� This site should also provide DeCA�s compliance status to the acquiring bank that can review and obtain PCI compliance information and compliance status for DeCA, upon request.� In addition, this task requires the contractor(s) who have access to view this data to hold a background investigation required for IT-III access.
 
Web Link
SAM.gov Permalink
(https://beta.sam.gov/opp/2852ae4706014699a3f7021236fa7a30/view)
 
Place of Performance
Address: Fort Lee, VA 23801, USA
Zip Code: 23801
Country: USA
 
Record
SN06048303-F 20210702/210630230119 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.