Loren Data's SAM Daily™

fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF DECEMBER 24, 2021 SAM #7328
SOURCES SOUGHT

D -- Security Assessment and Vulnerability Mitigation Service to Strategic Systems Programs

Notice Date
12/22/2021 7:43:26 AM
 
Notice Type
Sources Sought
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
STRATEGIC SYSTEMS PROGRAMS WASHINGTON NAVY YARD DC 20374-5127 USA
 
ZIP Code
20374-5127
 
Solicitation Number
N0003023R6003
 
Response Due
1/7/2022 2:00:00 PM
 
Archive Date
01/08/2022
 
Point of Contact
Lucas M. Medlock, Phone: 3215065096, Marge Niedzwicz, Phone: 2024513230
 
E-Mail Address
lucas.medlock@ssp.navy.mil, Marge.Niedzwicz@ssp.navy.mil
(lucas.medlock@ssp.navy.mil, Marge.Niedzwicz@ssp.navy.mil)
 
Small Business Set-Aside
WOSB Women-Owned Small Business (WOSB) Program Set-Aside (FAR 19.15)
 
Description
This is a SOURCES SOUGHT notice. This notice is NOT a Request for Proposal (RFP). No solicitation exists at this time. The Strategic Systems Programs (SSP) seeks a Firm-Fixed-Price (FFP-LOE) type contract with a Certified Women Owned Small Business (WOSB) for subject matter expertise regarding the SSP application systems security assessment and vulnerability mitigation. The applicable NAICS code for this requirement is 541511- Custom Computer Programming Services. The assigned NAICS code is one in which the Small Business Administration (SBA) has determined that WOSB concerns are substantially underrepresented in Federal procurement, as specified on the SBA�s Web site at http://www.sba.gov/WOSB and as further defined in FAR Subpart 19.15 � Women-Owned Small Business Program. � Therefore, SSP is hereby requesting only qualifying WOSBs (including Economically Disadvantaged Women-Owned Small Business (EDWOSB) concerns) respond to the following market research tool for the collection and analyses of information to determine WOSB/EDWOSB's capability to provide the Security Assessment and Vulnerability Mitigation Service Requirement based on the description of the requirement provided below.� PURPOSE OF NOTICE: The Sources Sought is being used as a Market Research tool to determine potential sources prior to determining the method of acquisition and issuance of a possible RFP. The Government is not obligated and will not pay for any information received from potential sources as a result of this notice. We are only requesting capability statements from potential contractors at this time. Responders should indicate which portions of their response are proprietary and should mark them accordingly. �Failure to provide a response does not preclude participation in any possible future competitive RFP for which a business is eligible to participate in, if any is issued. It is the responsibility of the interested businesses to monitor the FEDBIZOPS website for additional information pertaining to any potential acquisition and provide security clearances, if necessary, to perform the statement of work (SOW). REQUIREMENT: The Strategic Systems Programs (SSP) Chief Information Officer (SPCIO) is seeking responsible, single, integrated vendor sources to support all actions associated with maintaining mission assurance and providing security vulnerability mitigation for five SSP Application systems. �Potential sources must possess an understanding of the architecture and have experience with the technologies used for the five SSP specific application systems listed below: �� 1)�� �SSP Enterprise Archives Service (SEAS) application � SEAS is SSP�s web based records management system utilizing networked document scanners. An instance of SEAS is also running on the Navy�s Classified network to support SSP�s classified record management activities. �It allows the SPHQ and PMO offices to archive both paper and electronic financial records and official correspondence. �SEAS was developed using Java, Apache Struts/Tiles framework, JSP technology and Oracle Database. 2)�� �Contract Action Tracking System Web (CATS Web) application �CATS Web is the Contract Branch Action Tracking System. �This system allows SSP�s contracting branch to document and track their action routing process and validate required contract artifacts for �each procurement. �The new CATS Web architecture includes Java, STRUTS and J2EE components as well as Oracle database.� 3)�� �SSP Service Desk system � SSP Service Desk is a COTS product used for the management of SSP�s service desk tickets. �SSP Service Desk system was customized to support SSP�s business processes. �It uses Microsoft SQL Server and �administration suite of tools. �This application is used by the SPHQ Helpdesk as well as the SSP Program Management Offices. 4)�� �SSP Logistics Planning System (i.e., SPOSE) � The Logistics Planning application is primarily used to gather raw data for the production and publication of SSP�s annual budget/planning document. �This application is used by SSP to plan for their current and future program resource allocations. The application was converted from a standalone PowerBuilder system to a web based application currently operational on the Navy�s classified network. �SSP�s web based Logistics Planning System was developed using Java Framework and Oracle database. 5)�� �Quality and Reliability Information Management System (QRIMS) � QRIMS is a report processing application hosted at SSP and sponsored by the SSP Navigation branch for use by external contractors to track trouble and failure reports, corrective action reports as well as trouble failure repair and return reports and preventative maintenance action reports. �QRIMS was developed using Struts 2 MVC framework and Oracle database. � The security management of these applications shall require detailed knowledge and a thorough understanding of the SSP information systems� business, data, applications and technical architecture. � The contactor must provide subject matter expertise for the above application systems in the following areas: 1.�� �Transitioning of applications from the DIACAP Certification and Accreditation Process to the DoD Risk Management Framework (RMF) 2.�� �Information Security assessments, mitigation and control monitoring 3.�� �Application development framework 4.�� �Library dependency End-of-Life management 5.�� �Vulnerability monitoring and mitigation 6.�� �Security Penetration testing and remediation 7.�� �Structured security patch management 8.�� �Application unit testing, integration testing, and automated code review testing 9.�� �Re-factoring and patching of source code, unit tests and integration tests 10.�� �Database schema design and configuration changes 11.�� �Application release and deployment management 12.�� �System audit logs analysis 13.�� �Port and Protocol management 14.�� �Maintaining application configuration management data in accordance with the Software Configuration Management Plan for SSP Enterprise Applications� The above application security management actions require detailed knowledge and experience using specific technologies, interfaces, development and scripting languages, Software Development Life-Cycle (SDLC) processes and tools. The contractor shall have experience and maintain skills proficiency in the key subject areas required to perform the security management actions, which include:� 1)�� �OpenText Livelink application Programming Interface (API) 2)�� �Hewlett Packard Digital Sender workflow programming 3)�� �HEAT trouble ticketing system database configuration and administration 4)�� �Business Process definition and analysis using BPMN 2.0� 5)�� �Fusion Charts reports (using XML, HTML5 and JavaScript) 6)�� �DoD Records Management application design standards 7)�� �Development languages & interfaces: Java, Apache Struts, Apache Tiles, PL/SQL, iText, XML, HTML5, JavaScript, CSS, SVG, UML, LDAP, SMTP� 8)�� �Web Server Technologies: Internet Information Services (IIS) 9)�� �SDLC Tools: PortsWigger Burp Suite, Enterprise Architect UML, Eclipse IDE, JIRA Issue & Project Tracking, Subversion Revision Control, Unit Test, Code overage, automated Code Review 10)�� �DoD Information Assurance Certification and Accreditation Processes (DIACAP) and DoD Risk Management Framework (RMF) 11)�� �Public Key Infrastructure (PKI) 12)�� �Security Assertion Markup Language (SAML) 13)�� �Web Services 14)�� �XML Digital Signature Programming 15)�� �Common Access Card (CAC) authentication 16)�� �Cryptography protocols and their usage 17)�� �Security threat modeling and mitigation strategies 18)�� �HTTPS Web session monitoring Potential contractor must possess a complete understanding of SSP�s information systems environment and must have demonstrated knowledge and experience working with the Navy accreditation processes for the SPCIO�s application systems. �Potential contractor�s proposed staff must be fully DOD 8570 compliant and have a complete understanding of DISA Security Technical Implementation Guidelines (STIG) and Security Requirements Guides (SRG) for hardware, software, and applications. PERIOD OF PERFORMANCE: The current proposed period of performance is estimated to be one base year plus four (4) option years. � RESPONSE DEADLINE: Interested sources shall submit a capability package by COB 07 Jan, 2022 (10 pages or less) containing: 1) company name and address, 2) company point of contact, 3) email address, 4) phone number, 5) specifics addressing the work listed above including a current list of related past performance within the past 5 years. �Proposed contractor must have a Secret Facility clearance. �� Electronic responses are acceptable if prepared in Microsoft 2007 or newer or .pdf compatible format. �Email electronic responses to Lucas Medlock (email:lucas.medlock@ssp.navy.mil) and Marge Niedzwicz (email:marge.niedzwicz@ssp.navy.mil) with ""Sources Sought"" in the subject line of the email.
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/c1595b2ce91d4a1ebfae9d9794248f1a/view)
 
Place of Performance
Address: Washington Navy Yard, DC 20374, USA
Zip Code: 20374
Country: USA
 
Record
SN06204079-F 20211224/211222230114 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)

FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.