SAMDaily.us | SNOTE | R | INDUSTRY DAY

SAMDAILY.US - ISSUE OF NOVEMBER 06, 2021 SAM #7280
SPECIAL NOTICE

R -- INDUSTRY DAY

Notice Date: 11/4/2021 11:00:49 AM
Notice Type: Special Notice
NAICS: 541690 — Other Scientific and Technical Consulting Services
Contracting Office: MILLENNIUM CHALLENGE CORPORATION Washington DC 20005 USA
ZIP Code: 20005
Response Due: 11/15/2021 10:00:00 AM
Archive Date: 11/30/2021
Description: The Millennium Challenge Corporation (MCC) intends to release a solicitation for a Commercial-Off-The-Shelf (COTS) Security Information Management system resulting from this Industry Day event. This product should be a FedRAMP certified cloud hosted COTS product that has robust security case management functions to track personnel, asset tracking; customizable forms; customizable reports; and allows users to collaborate by assigning security controls to modules. Capabilities include security management, visitor access management, and training for implementation within the scope of the current requirements or in the future. This is a non-personal services contract (PSC) and MCC requires a firm to provide this product with related support services. The Eventbrite link for registration is at the bottom. The following are the needs of the Department: Desired core capabilities and functionalities: Robust security case management functions to track personnel and assets Customizable forms and customizable reports Allows users to collaborate by assigning security controls to modules Security management, visitor access management, and training for implementation Ability to attached documents against an individual record Insider Threat module that captures internal threats to the agency Visitor access controls to capture foreign nationals visiting the agency Track/deny new and returning visitors, manage meeting, and generate visitor reports Expanded data fields to capture historical information and evolving security requirements from OMB Expanded data fields to capture evolving security requirements, such as risk suitability and multiple instances where capturing dates are required Email Notifications for case status Dynamic fields to capture details (ex: FTE vs Contractor) Build customized reports Configurable inboxes/data entry points Track and manage classified areas, documents, containers etc General Requirements: Must provide multiuser capabilities for simultaneous access �out-of-the-box� functionality through a single integrated application that includes fully integrated modules that provide a complete view of the security domain Provide users with a single, customizable place to obtain dashboard information, maintain user�s queues, activities and reports Must have workflows and forms to facilitate the automated collection and distribution of initial employment and work information for Federal employees and contractors. Must include capability to notify Federal staff and candidates of status from system Allow admins to enter the information manually; and allow individuals limited access to their records to review and validate personnel data Provide role-based access control to components of the system based on the principle of least-privilege defined as giving a user account or process only those privileges which are essential to perform its intended function Provide checklist templates that can be used to produce various checklists to assist in managing day-to-day operations Provide for the complete management of all personnel both un-cleared and cleared personnel to include the tracking of multiple clearances (eligibility and access), SCI accesses, and background investigations Provide a user with detailed information including personal information, personal and emergency contacts, foreign travel and requests, insider threat case management, security incident logs System that can be customized to display the organization�s logo and colors Specific system requirements: Provide a central storage (cloud base) location of the data supporting the activities Must have the ability to reflect current background investigation and �background investigation Tier types (1-5) with the ability to track clearance history through upgrades, downgrades, corrections, etc. Track and report the foreign countries individuals have been assigned to support as official duties and whether required training and testing has been satisfied Allow for travel requests to be managed within the application i.e. track foreign travel, official and/or personal, including approval status, purpose, briefing and debriefing manage pertinent information regarding foreign contacts, such as relationship type, occupation, employer, address and details of initial contact Include tools for saved views, charts and dashboards that allow the user to easily and instantly view real-time data regarding an organization�s health in terms of credentialing, national security eligibility, security clearance, suitability and fitness screening, suitability and fitness determination, security training and testing status and currency, security incidents and violations; and security review of requests for official and unofficial foreign travel, permanent certifications, visitor access requests to other Federal agencies, authorized physical accesses to facilities, and logical accesses to information systems Allow authorized users to attach pertinent documents to an individual record Ability to create statistical reports for monthly, quarterly and other requirements Ability to create report for OPM�s CVS monthly reconciliation of MCC�s security clearance holders Ability to query, compile, organize and track security incidents and violations, suspicious contacts, adverse information, thefts, facility incidents as well as insider threat indicators related to potential insiders, applied mitigation and further compliance reporting; and chart security incidents by a variety of pivots to include type and/or incidents over a given time period Tracking other sensitive items (such as safe combinations, keys, access control cards, network accounts and other sensitive assets as defined by clint) Technical Requirements: Security Assertion Markup Language (SAML) V2.0 for API The system must be compatible with Active Directory Federation Services (ADFS) as an identity-provider for authentication of system users. The system should allow for non-ADFS authenticated local accounts for application administration functions; however, these accounts should be limited-use, maintain multi-factor authentication requirements, and not be used for regular system usage. The vendor shall coordinate and implement authentication for the system using agency�s existing ADFS infrastructure prior to its transition into production. Information Security: The contractor shall coordinate and utilize MCC templates to comply with National Institute of Standards and Technology Federal Information Processing Standards 800-37, Risk Management Framework (RMF), and complete the following RMF Steps and Tasks included in each Step Step 1: Categorizing the information system following the standards in National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, and National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. Step 2: Select Security Controls based on MCC's common control criteria, FIPS-199, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, current revision, and FedRAMP required controls. The vendor should follow the cloud hosted security control matrix. Step 3: Implement Security Controls based on the requirements defined in Step 2. Step 5: Authorize the information system based on MCC policies, procedures, and by providing an acceptable plans of action and milestone (P0A&M); and Step 6: Monitor the information system security controls. The contractor will provide assistance, as necessary, to complete the independent verification and validation of the security controls required by NIST SP 800-37, RMF Step 4 (Assess Security Controls). MCC procedures require continuous annual updates of the security artifacts (RMF Step 6) and requires an annual assessment of selected controls for continued authorization and monitoring. The vendor shall provide an acceptable and complete security package in accordance NIST SP 800-37, Appendix F. The security package shall contain the following artifacts: FIPS-199 (RMF Step 1) E-Authentication (RMF Step 1); System Security Plan (RMF Step 1); Contingency test plan (RMF Step 1); Contingency test results (RMF Step 3); and Plans of Action and Milestone (P0A&M) (RMF Step 5). All interested vendors are asked to submit the following no later than November 17: Capability Statement Rough order of cost Proposed solution Recommended vehicle (Full & Open/GSA/NASA SEWP/etc.) Suggestions to requirements for improvement. To attend this Virtual Industry Day you must first register on Eventbrite. Registrations are limited to two employees per company. If more than two are registered MCC will eliminate the additional registrants so be sure to ensure you stay true to the two person limit to prevent the wrong person from being removed. Here is the Eventbrite link: https://www.eventbrite.com/e/mcc-industry-day-tickets-204005424717?utm_source=eventbrite&utm_medium=email&utm_campaign=post_publish&utm_content=shortLinkNewEmail
Web Link: SAM.gov Permalink
(https://beta.sam.gov/opp/d2de72ac9ded4ffca2cab620f14c7f57/view)
Place of Performance: Address: Washington, DC 20005, USA; Zip Code: 20005; Country: USA
Record: SN06170661-F 20211106/211104230111 (samdaily.us)
Source: SAM.gov Link to This Notice
(may not be valid after Archive Date)

| FSG Index | This Issue's Index | Today's SAM Daily Index Page |

Loren Data's SAM Daily™

R -- INDUSTRY DAY