Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF JUNE 22, 2023 SAM #7877
SOURCES SOUGHT

99 -- Revenue Service (IRS) Stakeholder Enterprise Cybersecurity Unified Risk Evaluation (SECURE).

Notice Date
6/20/2023 11:19:32 AM
 
Notice Type
Sources Sought
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
NATIONAL OFFICE - PROCUREMENT OITA NEW CARROLLTON MD 20706 USA
 
ZIP Code
20706
 
Solicitation Number
Reference(eBuyRFQ1634227)
 
Response Due
6/23/2023 9:00:00 AM
 
Archive Date
07/08/2023
 
Point of Contact
Daffeney L. Wilson, Phone: 2108412173
 
E-Mail Address
daffeney.l.wilson@irs.gov
(daffeney.l.wilson@irs.gov)
 
Description
***Per the original notice, no phone calls or emails related to this sources sought notices will be accepted. Vendors SSN responses to the SSN questions shall be uploaded to GSA eBuy (RFQ1634227) by June 23, 2023, 12PM Eastern Time. This agency is not seeking marketing information and will not review it.*** This is a Source Sought Notice (SSN) for market research purposes only. This SSN is issued solely for information and planning purposes�it does not constitute a Request for Quotation (RFQ) or a promise to issue a RFQ in the future. This SSN does not commit the IRS to contract for any supply or service whatsoever.� Further, the agency is not at this time seeking quotations and will not accept unsolicited quotations. This SSN is being published to identify potential sources capable of provide support services for the Internal Revenue Service (IRS) Stakeholder Enterprise Cybersecurity Unified Risk Evaluation (SECURE). Responders are advised that the agency will not pay for any information or administrative costs incurred in response to this SSN; all costs associated with responding to this SSN will be solely at the interested party�s expense. Not responding to this SSN does not preclude participation in a future RFQ, if any is issued. It is the responsibility of the potential offerors to monitor the agency sources for additional information. Background The IRS seeks to obtain contractor support to expand current work around the Filing Season, Stakeholder Enterprise Cybersecurity Unified Risk Evaluation effort and create an enterprise-wide interconnected view of organizational risk, developing decision environments for stakeholders, incorporating authoritative data feeds, and establishing use cases to provide risk insights to stakeholders and mitigation teams to include Risk Snapshot Assessment of Assets not previously identified as Filing Season. This will involve collection of Internet Protocols (IP) mapping and data associations to make justifiable nexuses among the various categories or IRS critical assets, establishing a process to validate the alignment of discovered IPs on the network to systems and provide updates to authoritative data stores to allow the IRS to appropriately assign remediation and mitigation activities to owners. Objective No decision has yet been made regarding the acquisition strategy or the small business strategy for this requirement. The purpose of this SSN is to identify interested vendors with the capabilities to meet the Government requirements at a fair market price. Vendors SSN responses shall be uploaded to GSA eBuy (RFQ1634227) by June 23, 2023, 12PM Eastern Time.� This agency is not seeking marketing information and will not review it.� No phone calls or emails related to this sources sought notices will be accepted. Submission Instructions The North American Industry Classification Systems (NAICS) Code proposed for the requirement is 541512, Computer Systems Design Services. The Government requests that all interested parties submit the information outlined below. Contractor Name Address Point of Contact (POC) POC phone number and e-mail address UEI ID number Business status (i.e., large/small business, disadvantaged, Hub Zone, woman-owned, etc.) Brief description of the company's business size (i.e., annual gross revenue for the prior three (3) years) Schedules or contract vehicles available for you to compete for these services (including contract numbers) Anticipated teaming or subcontracting arrangements (delineate between work accomplished by prime and work accomplished by teaming partners) Responses to SSN questions below. Page limit and formatting requirements: The company's standard format is acceptable; however, the limit for all responses shall be ten (10), 11 font size, 8 � x 11-inch pages. SSN Questions PWS Section 1.0 1.� Does the vendor know how to assess Mission Essential Functions and their dependencies on both Business Processes and the supporting Information Technology?� The vendor�s overall goal must be to satisfy both the business side of IRS as well as the IT government agency that they will work with directly. 2.� Does the vendor recognize there will be ever-changing asset interdependencies as the Inflation Reduction Act (IRA) changes over the next several years?� If so, can they define how they will meet the ever-changing goals? 3.� Does the vendor have the ability/bandwidth to address the enormity of the IRS infrastructure with over 800-1000 applications while pairing risk to operational requirements to meet, for example: Weekly reporting compared to previous weeks reporting and details surrounding the variances? Comprehensive environments (test, development, lower, production, etc.)? Critical categorizations of data assets and their interdependencies? Ability to integrate data workflows into Service Now to curate raw vulnerability data and automatically generate tickets, assign users, and prioritize actions based on the Risk Scoring Model? Ability to address Non-Filing assets to Filing Season assets for the purpose of determining functionality and importance? PWS Section 2.0 1.� Does the vendor understand the requirement to build interdependent risk dependencies for each of the 500+ applications and what it will entail or have a general understanding of what it would entail? 2.� Does the vendor have a background in Treasury Directives around the delivery of risk management, CISA, Binding Operational Directives?� 3.� Does the vendor have the ability/capabilities and staff support to address the following, for example: Approximately 150-200 Gigabytes of raw data is processed and optimized, or 1 TB of data manipulated each week. Approximately 50 various risk reports, but the number is not limited to 50 as the need is driven by the correlation coefficient and gaps which can change weekly. Filing Season Risk Snapshots are required for +/- 500 applications and must be updated monthly. Depth of knowledge is required, Domain knowledge around 700+ applications is necessary. Data gap analysis and remediation reporting. Must have an IRS understanding of the type of assets as there are over 1200 host names to monitor and align. Must have graphic database capabilities Knowledge of the following tools is essential:� SQL, Python, Tenable, Tableau, SPLUNK, Big Fix, knowledge to move data into the Cloud/on-prem, Guardium, Archer, UCMDB, TFIMS, KISAM, ABA, and the suite of tools used across the IRS environment. PWS Section 3.0 Does the vendor have the ability to create an enterprise-wide interconnected view of organizational risk, developing decision environments for stakeholders, incorporating authoritative data feeds, and establishing use cases. ��Can they provide a sample of how they would go about this?� PWS Section4.0 Sub-task 4: 1. Does the vendor have the ability/capabilities and staff support to address the following, for example: Integrate with application-level stakeholders to facilitate reporting and guide mitigation Facilitate weekly Stakeholder Enterprise Cybersecurity Unified Risk Evaluation Effort (SECURE) meetings with key Applications Development (AD) and Enterprise Operations (EOps) stakeholders to assess prioritized risks and coordinated cross-application remediation plans (analysis briefings and mitigation support sessions). Provide/conduct monthly presentations with Executives to drive risk-informed decision making Sub-task 5:� SUB-TASK 5, Risk Snapshot Assessment of Assets (SECURE Snapshot) Can the vendor describe how they would provide risk insight to stakeholders and mitigation teams for the purpose of providing mitigation/remediation options through the use of tools, technology and IRS network automation?� Can the vendor describe how they would develop the risk snapshots to depict impact, vulnerability, threat factors through the use of algorithms, outputs and dashboarding? Can the vendor describe their involvement in the analysis of critical categories and how they proceeded with Risk Based Decisions, Plans of Action and Milestones, etc. to address TIGTA or GAO Audit findings and mitigation/remediation techniques?� Does the vendor have hands-on knowledge of Service Now and integration of data, processes, and output integration experience?� Does the vendor have examples of where alternative strategies for risk remediation were used when the patching solution was not available? Does the vendor have examples of comprehensive vulnerability analysis, reporting, and oversight including but not limited to data from Qualys VMDR, AppScan, and Vanguard, etc.? Does the vendor have the ability to quantify risk associated with POA&Ms/RBDs based on impacted systems, external threats, and upstream/downstream interdependencies? Can the vendor give examples of minor and major migration Risk into overarching risk snapshots for the purpose of allowing users understand key risk areas and application impact to the environment based on upstream/downstream dependencies? Does the vendor have examples of how they have aligned reporting and analysis to improve data management capabilities to drive evidence-based decisions? Does the vendor have experience in utilizing Python automation to streamline manual processes and improve data processing speed? Does the vendor have experience in mapping of existing Internet Protocol addresses to servers, applications, and points of contact along with coordinating with a large audience (300+) team (e.g., Business Impact Analysis) to share information collected. Does the vendor have experience in prioritization, monitoring and ticketing associated with vulnerability impact and threat scoring?� Can you provide examples? Does the vendor have experience in preparing a Repeatable Process and Oversight Proposal annually. Skill Requirements: 1. Please provide detailed examples of the following: Experience planning & managing large scale infrastructure IT programs. Experience working in highly secure, distributed IT environments Knowledge of and experience with the current infrastructure in place at the IRS and Treasury, including but not limited to: Mainframe (IBM and Unisys) HP Integrity Unix (Solaris and Linux) Oracle Windows Network (Cisco and other contractors) Centralized Storage Area Network (SAN) from EMC, Hitachi, IBM, and HP Knowledge and experience with SQL server and databases, Tableau, and Microsoft Access. Knowledge of the Common Vulnerabilities and Exposures (CVE) cybersecurity vulnerabilities and the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). And experience with Common Vulnerability Scoring System (CVSS) and fixes for a multitude of environments. Knowledge of and experience with multi-contractor IT infrastructure management software, including but not limited to IBM Tivoli, HP Business Technology Optimization (BTO), BMC, OPNET, ASG.�
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/4889b4eecd194506a44807ea759146e1/view)
 
Record
SN06721665-F 20230622/230620230124 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.