SOURCES SOUGHT
B -- Request for Information: Security Rating Tool
- Notice Date
- 11/7/2023 1:31:16 PM
- Notice Type
- Sources Sought
- NAICS
- 519290
—
- Contracting Office
- COMPTROLLER OF CURRENCY ACQS WASHINGTON DC 20219 USA
- ZIP Code
- 20219
- Solicitation Number
- 2031JW24N00009
- Response Due
- 11/20/2023 2:00:00 PM
- Archive Date
- 12/05/2023
- Point of Contact
- Danielle Pena, Phone: 2028800603
- E-Mail Address
-
danielle.pena@occ.treas.gov
(danielle.pena@occ.treas.gov)
- Description
- This Request for Information (RFI) is issued solely for market-research and acquisition-planning purposes.� It does not constitute a Request for Proposal (RFP) or a promise to issue an RFP in the future.� This RFI does not commit the Government to contract for any supply or service.� At this time, the OCC is not seeking proposals and will not accept unsolicited proposals.� The OCC will not pay for any administrative costs incurred in responding to this RFI.� Failure to respond to this RFI does not preclude participation in any future RFP, if one is issued.� Background The OCC seeks information about security rating services that aggregate publicly accessible cyber data, using algorithms to calculate a risk score or risk rating that reflects an organization�s cybersecurity hygiene and external security posture.� The OCC is considering the use of security rating services to evaluate, the security posture of supervised financial institutions.� The OCC seeks information on the capabilities provided by these services as well as the associated pricing models. Requested Information Interested parties are requested to respond to the following questions only.� General marketing information is not requested and will not be reviewed.� If proprietary information is included in a response, it should be clearly marked as such. Fairness and Accuracy of Ratings 1. The U.S. Chamber of Commerce published its Principles for Fair and Accurate Security Ratings (https://www.uschamber.com/issue-brief/principles-fair-and-accurate-security-ratings).� The OCC wishes to understand to what extent each rating company complies with the principles outlined in that publication.� For each principle described below, please explain the measures implemented by your company to ensure that it operates in accordance with the principle. 1a) Transparency: �Rating companies shall provide sufficient transparency into the methodologies and types of data used to determine their ratings, including information on data origination as requested and when feasible, for customers and rated organizations to understand how ratings are derived.� Any rated organization shall be allowed access to their individual rating and the data that impacts a change in their rating. 1b) Dispute, Correction and Appeal:� Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data. Rating companies should have an appeal and dispute resolution process.� Disputed ratings should be notated as such until resolved.� � � � � � � � � � � � � � � � � � � � � � � � � � �� 1c) Accuracy and Validation: �Ratings should be empirical, data-driven, or notated as expert opinion.� Rating companies should provide validation of their rating methodologies and historical performance of their models. Ratings shall promptly reflect the inclusion of corrected information upon validation. 1d) Model Governance: �Prior to making changes to their methodologies and/or data sets, rating companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.� 1e) Independence: �Commercial agreements, or the lack thereof, with rating companies shall not have direct impact on an organization�s rating; any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company. 1f) Confidentiality: �Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected. Rating companies should not publicize an individual organization�s rating. Rating companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise Security What measures has your company taken to protect against a security breach involving a customer�s user�and usage�data?� Does the online portal used by a customer to access its subscription provide multifactor authentication or single sign-on capabilities via claims-based authentication? Does the portal support segregation of functionality and/or data access based on user roles? Licensing Please explain your licensing model.� Are licenses associated with subscription users (either via named users or an enterprise license) or with the rated organizations/entities? Please explain the pricing model for your subscriptions.� The OCC is potentially interested in risk scoring approximately 1,000 organizations.� Over time, the organizations within this industry cohort will change, as the OCC engages different vendors to support its IT requirements. �But at any given time, the total number of organizations being scored/rated would remain relatively stable. Is your subscription available on a GSA schedule?� If so, please provide the schedule number. Is your subscription available on a Government Wide Acquisition Contract Vehicle (GWAC)?� If so, please provide the contract number. Can your subscription be purchased through an authorized re-seller?� If so, please identify those re-seller(s). Does your license allow for publication of aggregated research data?� Does your license allow for non-public sharing of aggregated information among federal agencies? Are there any restrictions of the license agreement (right to review, rights upon termination, etc.) Functionality Does the subscription provide the capability to produce a dashboard of a user�s monitored entities?� Does the user have the ability to group entities into different subsets for the production of discrete dashboards and reporting? Does the subscription support both �canned� and ad-hoc reporting?� If ad-hoc reporting is supported, please describe any limitations or constraints associated with the reporting functionality. Can data be exported from the online application into a database for the term of the contract?� If so, in what formats can the data be exported?� If the data exports are limited to a certain type of data or number of data elements, please explain these constraints. Does the subscription provide access to an application programming interface (API)?� If an API is available, is it part of the base subscription or would this be considered an �add-on� provided at an additional cost? Does the subscription provide access to audit logs that document user activity?� What types of user activity are logged? How many years of data are used as inputs to the risk score?�� Can users customize the date range when generating a report? SUBMISSION OF Responses Responses shall be limited to eight (8) pages and submitted via email to Danielle Pe�a, Contract Specialist, at danielle.pena@occ.treas.gov.� Submissions are due by 5 PM Eastern Time on November 20, 2023 and will be acknowledged via return email.� All submissions will become Government property and will not be returned.� The file format for responses shall be either MS Word (or compatible version) or Adobe Portable Document Format (PDF). Responses should include the following contact information for the respondent: Name, Business Postal Address, Business Email Address, Telephone Number, and Fax Number.
- Web Link
-
SAM.gov Permalink
(https://sam.gov/opp/76fef6753c424c62864448b68b083ab6/view)
- Record
- SN06878815-F 20231109/231107230135 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |