SOURCES SOUGHT
D -- Risk Management Framework (RMF) Services
- Notice Date
- 11/3/2021 8:15:05 AM
- Notice Type
- Sources Sought
- NAICS
- 541512
— Computer Systems Design Services
- Contracting Office
- DEPT OF COMMERCE NIST GAITHERSBURG MD 20899 USA
- ZIP Code
- 20899
- Solicitation Number
- AMD-SS-F-22-00063_MHB
- Response Due
- 11/9/2021 7:00:00 AM
- Archive Date
- 11/24/2021
- Point of Contact
- Monica Brown, Phone: 3019750642
- E-Mail Address
-
monica.brown@nist.gov
(monica.brown@nist.gov)
- Description
- NOVEMBER 1, 2021: 1.� This notice was revised�to correct the section Section 3, Period of Performance date from January 1, 2021 to January 1, 2022. 2.� This notice was revised to provide clarity to Section 5.� The changes have been underlined. 3.� Extend the response date to November 9, 2021. 4.� This notice was revised to add the attachment, Appendix C. THIS SOURCES SOUGHT NOTICE REPLACES PREVIOUS NOTICE ID:� NB1810002101730, PUBLISHED JUNE 28, 2021 1.� Background NIST�s Cyber Risk Scoring (CRS) Solution provides the foundation for the organization�s Information Security Continuous Monitoring (ISCM) program, allowing for near real-time visibility into security and privacy risk. Due to changing technologies and a dynamic threat landscape, it is important for NIST to continue to improve the effectiveness of its risk scoring and ISCM program. In order to meet these challenges, NIST�s CRS Solution requires more automation of assessment processes and increased mission/business context to maintain ongoing awareness of information security and privacy to support organizational risk management decisions. NIST�s CRS Solution consists of Archer, a leading product for integrated risk management and the previous tool the Department of Homeland Security (DHS) mandated for Continuous Diagnostics and Mitigation (CDM), and Tableau, a business intelligence tool, to aggregate and normalize assessment data from a variety of sources. Leveraging the US Census Bureau�s proven risk scoring methodology, the CRS Solution program enables the effective and efficient management of information systems and creative ability in the development and improvement of methods and procedures. Continued interoperability with the US Census Bureau�s methodology and their implementation of Archer would allow direct comparisons across Department of Commerce organizations. More information regarding NIST�s risk scoring methodology can be found in Appendix A. Through NIST�s CRS Solution, NIST implements ISCM by prioritizing control assessments to focus the scope of assessments and provides on-demand reports to allow for more frequent reviews of security and privacy metrics. Continued integration of CDM into local vulnerability management practices will allow NIST to strengthen the organization�s ability to monitor and manage the threat of cyber vulnerabilities. Additionally, incorporating cybersecurity risk as a function of enterprise risk management provides the organization with a holistic view of risk across various business process areas. �� �2. Scope The Contractor shall provide the full suite of IT security support services listed in the Contractor Performance Requirements section for the National Institute of Standards and Technology (NIST). �Critical components of these services include the development and maintenance of IT security processes, procedures and associated documentation that support compliance with the Federal Information Security Management Act (FISMA) of 2002 (Title III, Pub. L. No. 107-347). This contract is to support NIST�s goal of automating the full suite of security and privacy Assessment & Authorization activities, to the best extent possible, and to provide real-time situational awareness to NIST stakeholders.� Skills and experience in all functional and technical services listed above, and the details of each described below, is required in order to meet NIST requirements.� All work falls within the scope of services described within this PWS, but the specifics of implementation and timeframes are variable to meet the real-time demands of a dynamic IT environment and increasing Federal requirements.� Some activities require ongoing maintenance, such as maintaining a current and secure technical environment.� Some activities require development of new functionality or real-time dashboards to support risk management needs. This may include a tailoring of the Contractor�s methodology and/or tailoring of the Risk Scoring Solution to best align the methodology and software to meet NIST�s current needs.� At the time of award, the Authority to Operate for roughly half of NIST IT systems will be expiring, assessments will be in process or not yet started, and development of various technical & functional services at various stages for any given system will be in process.�� The knowledge, skills, and ability to hit the ground running with multiple high-priority projects currently at mid-stream is critical.� The various roles within this contract will work collaboratively to meet program and/or system requirements.� The Contractor shall work with NIST to meet each requirement throughout the Period of Performance, as NIST and the Contractor work together to further define the details each requirement. Due dates and the specific scope of work for each deliverable shall be agreed upon between the COR and the Contractor for each system. �Regular technical and program status meetings with Contractor and Federal staff will ensure requirements and deadlines are well understood and on track.� More details regarding the deliverable due dates can be found in Appendix B, Deliverable Schedule.� 3.� Period Of Performance The period of performance of this task order is for 1 base year, beginning January 1, 2022�with 4 option year periods from the date of task order award. Performance requirements are expected to remain as described below in Section 4 throughout the option years. 4.� Contractor Performance Requirements Details regarding each support area are provided in the sections below:� A. ISCM Management The contractor will assist with the management and maintenance of the organization�s ISCM strategy and program plan. The contractor shall develop and maintain ISCM control assessment schedules and scanning frequencies for all NIST IT systems in the CRS Solution based upon the component�s risk score and priorities outlined in the organization�s ERM program. Additionally, the contractor shall ensure that all vulnerability and secure configuration scan results are aggregated and analyzed within the CRS Solution and mapped to the appropriate IT systems.� Schedules for assessment must assign unique assessment frequencies to each control in the NIST SP 800-53 (latest revision) catalog and vary, based on risk, from one system�s component to another. Where appropriate, each control test step in each component must be accounted for in the component�s ISCM schedule. Any significant changes to an IT system should result in the reexamination of the ISCM control assessment schedule and adjusted accordingly in the CRS Solution. Additionally, the contractor must conduct annual reviews on the efficiency and effectiveness of the ISCM program and make necessary changes to the overall strategy and plan as needed. B.� Risk Profiling The contractor shall create security Risk Profiles for all NIST IT systems and components based on the attached list of NIST Systems and using NIST�s risk scoring methodology. Risk Profiles shall be developed at both the system and component levels. Individual system and component Risk Profiles are leveraged to tailor security & privacy controls and denote the risk associated with each security and privacy control and the associated impact to the organization from non-compliance with Federal, DOC, and NIST security requirements. Risk Profiles shall include both technical and business/mission related information for each system and component. All Risk Profiles must conform to NIST�s Component Creation Framework guidance, as outlined in Appendix C. All system security and privacy controls and associated substeps, whether documented directly within the Risk Profile for a system or component, or by reference to another Risk Profile system or component, must be accounted for in their entirety, as stipulated by the National Institute of Standards and Technology (NIST) NIST Special Publication (SP) 800-53A to support Operations & Maintenance (O&M) efforts. C.� RMF Solution Management The Contractor shall maintain and enhance NIST�s continuous monitoring/risk scoring toolset (Archer and Tableau) that facilitates NIST�s continued execution of its IT Risk Management program, including the import of assessment data as well as the warehousing of historical assessment/scan data. The services and toolset shall provide the following capabilities: Operation and maintenance of an enterprise technical solution that automates enterprise risk scoring methodology through organizationally tailored risk profile questionnaires at the component, system, and organizational levels Operation and maintenance of Archer and Tableau reporting software and integration between Archer and Tableau Development and deployment of new functionality and capabilities within Archer and Tableau Full maintenance and enhancement support of customized Archer on Demand Applications (ODA) and Tableau risk scoring reports/templates (e.g., version updates, bug fixes, code updates, patches, functionality enhancements) Integrating Archer and Tableau with legacy IT systems and system significant changes Automating the scoring of vulnerabilities and mapping of secure configuration baseline assessment results to SP 800-53 security controls using risk scoring methodologies � Storing control implementation, accepted risks, and Plan of Action & Milestones for each NIST formatted Risk Profile Correlating assessment content for each control element with the Risk Profile implementation details Providing dynamic reporting and current status information for all control implementations in NIST�s tiered reporting format Consuming automated and manual input for compliance and vulnerability analysis Categorize and store business and technology risk factors for each system and component, and adjust resultant system and component risk scores based thereupon Provides technical and programmatic integration with DHS CDM and other Archer product modules D. Risk Scoring The Risk Scoring methodology shall be implemented and maintained using modules provided by Archer to leverage the resources and knowledge already developed within the organization.� The Risk Scoring methodology shall meet the following criteria: Derives risk scores from automated and manual assessment results for all applicable security controls as described in SP 800-53A Is based on the NIST Risk Management Framework (RMF) Maps to the National Cybersecurity Framework (CSF) Prioritizes risk scores to identify the highest risk areas for weakness mitigation first Leverages threat intelligence scoring to assist in additional prioritization of agency risk� � Adds capabilities to allow multiple manual assessments Differentiates risk scores by system-specific and inherited risks Includes capabilities to allow association of controls, components, and assessments for seamless integration with scanning engines (such as Nessus) Provides risk scores at the component, system, and organizational levels Takes into account business and technical factors (with quantitative risk values) to tailor risk to individual systems Adds system identifiers to allow grouping of multiple components into systems For any given NIST IT system, the solution must be maintained to provide risk scores in real-time.� Changes to IT systems, new components of existing systems, new data types, or entirely new IT systems could require configuration and/or development support. These are identified as the need arises.� E.� Inheritance Model Management The contractor shall assist with the identification of enterprise common control providers (ECCPs), those common across the entire organization, and local common control providers (LCCPS), those common across components within a system. The contractor shall be responsible for identifying common controls provided by the ECCPs and LCCPs and managing the overall technical inheritance model within the CRS Solution as part of O&M. The contractor shall work with NIST to document changes in providers and common controls throughout the annual assessment cycle and incorporate changes into CRS Solution accordingly. Additionally, the contractor shall assist in the identification of ECCPs and LCCPs that can be automatically assessed. F.��Automation The contractor shall automate control assessments at the system, component, asset, ECCP, and LCCP levels in the CRS Solution. The contractor shall meet the following criteria: Automation of NIST SP 800-53 (latest revision) 5 control assessments; Automation of assessment evidence for control assessments, including ECCPs and LCCPs; Automation of security and privacy reporting; Automation of Assessment & Authorization workflow; Automation of additional manual A&A processes as defined by the organization;��� Integration of vulnerability data, compliance data, automated and manual assessment data with additional NIST systems; and Integration of threat intelligence data to prioritize remediation activities G.��Control Assessments The contractor shall provide independent security and privacy assessments and security officer support as required by FISMA and Special Publication (SP) 800-37 Revision 2 for systems, such as those noted in Appendix A to this PWS in the CRS Solution.� System Security Officer and independent security and privacy control activities shall include the following: Facilitating a smooth operation of the Security and Privacy Assessment with the system owner, security officers, system staff, and other agency stakeholders; Serving as the point of contact for assessment activities; Reviewing system boundaries and completing and/or updating system security plans, network diagrams, hardware asset and software inventories, Privacy Threshold Analysis and/or Privacy Impact Analysis, and contingency plans; Developing assessment test plans and procedures; Performing security assessments to include vulnerability scanning and secure configuration testing using manual and automated tools; Executing tests to establish the efficacy of implemented system level security controls; Entering the results into Archer; Analyzing the results; and Preparing the draft and final security test plans, security test results, scan analyses, security assessment reports, and supporting memoranda using NIST provided templates Control assessment activities emphasize accurate identification, documentation, and testing of controls for system assessments scheduled during the period of performance.� Control assessment results shall be documented within Security Assessment Plans, Privacy Assessment Plans, vulnerability scan analyses, Security Assessment Reports, Privacy Assessment Reports, and Plans of Actions & Milestones (POA&Ms).� The culmination of each assessment shall be documented for NIST Authorizing Officials within the Security Assessment Report and Privacy Assessment Report, which shall include a summary of system assessment activities, and a Risk Assessment table documenting risks to the system and detailing risks to be accepted as well as those requiring POA&Ms. All activities shall be based on criteria outlined in the latest versions of NIST Special Publications (SP) 800-18, 800-37 Rev. 2, 800-53 Rev. 5, 800-53A, 800-60 (all found at http://csrc.nist.gov/publications/nistpubs/index.html)� Additionally, the contractor shall support NIST in the analysis of external audit reports and in the preparation of agency responses and/or remediation plans to address the identified issues. The contractor must be familiar with the specific requirements imposed by the common auditing bodies for the organization, including the GAO (FISCAM), DOC IG and DOC OS. H.� Program Governance The contractor shall develop and manage NIST�s internal and external relations with other organizational units and provide advisory and technical security support for information assurance issues specifically related to the ISCM Program implementation across NIST to support O&M. The contractor shall: Provide executive and divisional support as required to foster relations between and among business units within the bureau as well as with other departments and federal government entities Be responsible for developing informational and training materials to convey the mission, methodologies and practices of NIST�s ISCM strategy and procedures Develop and deliver presentations and briefs for both inter-agency and external requirements and documentation such as process guides, announcements and press releases, as needed Develop and maintain process documentation to describe NIST�s means of conducting its ISCM process and activities Develop and maintain documentation detailing the configuration and required administrative activities for operation and management of the CRS Solution I.��Risk Reporting & Dashboards The Contractor shall develop information security and privacy report templates that can be generated on demand, as needed for completion of assessment packages. These reports shall provide an assessment of security and privacy control effectiveness, identify vulnerabilities and residual risk, and provide prioritizations for remediating vulnerabilities. The system assessment packages, prepared by the Contractor during control assessments, shall include the following artifacts: Security Assessment Report (SAR) summarizing identified vulnerabilities and associated risks, assignment of risk sources (inherited or system-specific), and the overall residual risk of the system relative to an identified risk threshold, with a prioritization of risks based on the proportion of the total. Privacy Assessment Report (PAR) summarizing identified vulnerabilities and associated risks, assignment of risk sources (inherited or system-specific), and the overall residual risk of the system relative to an identified risk threshold, with a prioritization of risks based on the proportion of the total. Security Assessment Plan (SAP) with the capability to accept and integrate security control evaluations at either the individual step or the overall control level, for both the individual components and the system as a whole. Privacy Assessment Plan (PAP) with the capability to accept and integrate privacy control evaluations at either the individual step or the overall control level, for both the individual components and the system as a whole. System Security & Privacy Plan (SSPP) based on automated data and manual input Contingency Plan (CP) System network diagram(s) based on manual input Vulnerability Scan Analysis (VSA) identifying the findings, severity, potential impact, and recommended remediations based on the results of Tenable and WebInspect automated scan tools Asset Inventory (Hardware) based on automated data from the Automated NIST Tracking System (ANTS) and manual input Software Inventory based on automated data from enterprise management tools and manual input Privacy Threshold Analysis (PTA) Privacy Impact Assessment (PIA) � If required. Real-time reports provided in Tableau shall include, at a minimum: Enterprise Level Reports � These reports are intended for the Chief Information Officer (CIO), Chief Information Security Officer (CISO), and Chief Privacy Officer (CPO) and provide enterprise information security and privacy reporting for all NIST systems, including visibility into common control performance and trending vulnerabilities System Level Reports � These reports are intended for Authorizing Officials (AO), Information System Owners (ISO), and Information System Security Officers (ISSO) and provides information security and privacy reporting metrics for all systems within their purview, as well as reporting on the vulnerabilities and risks identified during an assessment ISCM Report � This report is intended for Assessors and Information System Security Officers to track the progress of ISCM assessments and provides reporting on the vulnerabilities and risks identified during an assessment� Cybersecurity Framework (CSF) Report � This report is intended for the CIO and provides a summary of how the organization is performing against the various functions, categories, and subcategories within the CSF. J.� Experience In addition to the capabilities listed above, a vendor must have the following experience at a minimum: Defining/deploying a proven, enterprise security and privacy risk scoring methodology that provides risk scores at multiple levels within the organization, differentiates between system-specific and inherited risk, and aids with weakness mitigation� Designing/implementing a software capability that is inherently built to score manual and automated control assessment input across the full suite of SP 800-53 (latest revision) control steps Architecting, developing, and configuring Archer and Tableau Integrating requirements from the Cybersecurity Framework and Continuous Diagnostics and Mitigation program Extensive knowledge of conducting security assessments for Authorization to Operate based on NIST SP 800-37 and SP 800-53 (current revisions) 5.� Instructions to Responders: Interested parties that have the capabilities to meet the ALL Government�s basic requirements are requested to provide a narrative demonstrating their capabilities to meet ALL the requirements of this sources sought notice, A-J.� The response shall be formatted to clearly identify/reference the section of the sources sought being addressed, A-J and provide a narrative for each. �Additionally, the following statement must be addressed and capabilities explained:� �At the time of award, the Authority to Operate for roughly half of NIST IT systems will be expiring, assessments will be in process or not yet started, and development of various technical & functional services at various stages for any given system will be in process.�� The knowledge, skills, and ability to hit the ground running with multiple high-priority projects currently at mid-stream is critical.�� The referenced Appendix A and B are attached to this notice. Responses shall be provided via email and shall be no more than 15 pages, describing their abilities to meet all requirements to monica.brown@nist.gov no later than the response date of November 8, 2021, 10:00 a.m. for this sources sought notice. The report should include relevant information to your capabilities including any requirements that cannot be met or is deemed close to but not meeting an identified requirement. Also, the following information is requested to be provided as part of the response to this sources sought notice: Name of company(ies), their addresses, and a point of contact for the company (name, phone number, fax number and email address) that provide the services for which specifications are provided. Indication if the company(ies) are small business and social economic category(ies). Indication of whether the services required are currently on one or more GSA Schedule (i.e. Multiple Award Schedules [MAS]) contracts and, if so, the GSA MAS contract number(s). Indication if the company(ies) can provide all, or some, of the services. Any other relevant information that is not listed above which the Government should consider in developing its minimum specifications and finalizing its market research.
- Web Link
-
SAM.gov Permalink
(https://beta.sam.gov/opp/0491ae8b03fe4a1bb9f9745715f722cb/view)
- Place of Performance
- Address: Gaithersburg, MD 20899, USA
- Zip Code: 20899
- Country: USA
- Zip Code: 20899
- Record
- SN06170312-F 20211105/211103230113 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |