70 -- SYSTEMS SECURITY BENCHMARKING SERVICES

Notice Date

August 30, 2000

Contracting Office

Social Security Administration, Deputy Commissioner for Finance, Assessment and Management, Office of Acquisition and Grants, 1710 Gwynn Oak Avenue, Baltimore, MD, 21207-5279

ZIP Code

21207-5279

Solicitation Number

SSA-RFQ-00-0710

Response Due

September 11, 2000

Point of Contact

Monica Yankle, Contract Specialist, Phone 410-965-9591, Fax 410-966-5982, Email monica.yankle@ssa.gov

E-Mail Address

Monica Yankle (monica.yankle@ssa.gov)

Description

DESCRIPTION: The Social Security Administration is interested in receiving quotes from firms that can provide Systems Security Benchmarking Services as described below. This is a combined synopsis/request for quotations numbered SSA-RFQ-00-0710 for commercial security benchmarking services prepared in accordance with FAR subpart 12.6 as supplemented with additional information included in this notice. THIS IS THE ONLY ANNOUNCEMENT. Quotations are being requested; a separate, written request for quotation will not be issued. This procurement is being conducted as a simplified acquisition in accordance with FAR Part 13. The standard industrial classification code for this acquisition is 7373. The small business size standard is $18 Million. This request for quotation and incorporated provisions and clauses are those in effect through the latest Federal Acquisition Circular. BACKGROUND: The Social Security Administration (SSA) administers retirement, survivors and disability benefit programs, other monthly benefit programs based on need, enumeration and wage reporting activities, and additional related functions. SSA operates from its headquarters in Baltimore, MD and from local offices and centralized processing facilities throughout the U.S. To support its mission and organization, SSA manages an automated information retrieval, data processing, and telecommunication system protected by a variety of security protocols and techniques. SSA also has an ongoing, vigorous information systems security program that includes technological controls, employee training, monitoring, and oversight activity. To assess the strength of its security program relative to other organizations, SSA is seeking a contractor with expertise in providing information systems security- benchmarking services. REQUIREMENTS: The contractor must provide program management, technical management, and administrative support for this effort. The contractor must provide a fixed price for support and technical expertise in a broad range of activities involving systems security-benchmarking activities. This includes:(1)Benchmarking techniques and procedures. The contractor must use proven systems security benchmarking techniques and procedures that are able to quantify a large organization_s security program across a wide range of relative measurements common to modern, large-scale information systems and organizations. This should include techniques for organizing security functions and controls in logical groupings, and employing an appropriate survey instrument. (2)Data collection techniques.The contractor must use data collection techniques that utilize strategies and tools for efficient data collection throughout a large geographically dispersed organization. The techniques must be easy to present to those SSA employees who will participate in the data collection process, and must utilize state-of-the art data collection methods, including computer-supported tools. The contractor must provide onsite assistance to SSA during the training/orientation and data collection phases of the benchmarking process. The contractor will conduct training/orientation sessions for SSA employees who will be part of data collection effort, and assist in the data collection and data entry process. The contractor will assure that all of the data collected during the contract will be securely maintained. While the data collected may be added to the contractor_s experiential data base, if it is used in benchmarking comparison reports prepared for other entities, it shall not specifically identify the Social Security Administration. The only exception to this requirement is if the contractor receives written permission to disclose information about SSA from the SSA Chief Information Officer or the Deputy Chief Information Officer. SSA will provide facilities, reprographic support and routine equipment such as overhead projectors or computer projection equipment for both training/orientation and for final briefings and formal presentations. (3) Comparative analysis techniques. The contractor must use computer-based tools for comparing SSA_s benchmark results with those of other organizations of similar size and/or mission, using automated tools. Such comparisons must be based on extensive experience in benchmarking activities with a variety of organizations. The contractor should have previous benchmarking results available in an automated database of systems security benchmark measurements that can be easily used for comparison with SSA_s results. The database should contain information from government and non-government organizations such as large financial, manufacturing, insurance or service companies. The database should reflect recent as well as historical benchmarking activity taking into account improvements in information systems security technology and procedures. (4) Presentation techniques.The contractor must use state-of-the art presentation techniques for demonstrating SSA_s performance in specific systems security categories and functional areas compared to other organizations whose benchmark results were produced in a similar manner. The reporting mechanism must be flexible enough to be able to document SSA_s systems security posture and compare it to many sample groups already collected in the contractors database, such as: all other organizations, other government agencies, other entities with like mission or organization, and other comparisons that would be useful in assessing SSA_s security posture. The mechanism should be capable of showing both average systems security performance and _best-in-class_ comparisons for each group.These techniques should include paper and computer-based graphical representations of SSA_s performance in specific security-related categories compared to other organizations of similar size, function or infrastructure organization. The contractor will present and interpret the results of the benchmarking process in meetings with SSA systems security managers and SSA_s executive staff. SCHEDULE:Begin orientation to SSA with the Project Officer(PO)-week 1;Deliverable 1, Proj. Plan and Trng/Survey Form & Trng/Orientation materials, Wk.7;Deliverable 1 review period, 1 week- week 8;Conduct trng/orientation-week 9;Survey phase- week 12;Analysis phase-week 17;Deliverable 2, Preliminary Report to SSA PO-week 21;Deliverable 2 review period, 2 weeks-week 23;ExecStaff rpt preparation, 1 week-week 24;Deliverable 3, Report to SSA Exec Staff-week 24.Deliverable 1: The project plan from contractor will be prepared after consultation with the PO. It will show the contractor_s detailed approach and recommended schedule, indicating which contractor employees will be involved at each stage. The deliverable should also include:the questionnaire (survey form) that the contractor plans to use in gathering data for security benchmarking;The training material for use in training SSA employees in data gathering Deliverable due to the PO by the end of week 7.The PO has one week to review and prepare comments.The approach and schedule must be approved before proceeding: Deliverable 2: This is the preliminary report which will be presented to the PO and PO_s support team which worked with the contractor to gather the data reflected in the report. The deliverable is due to the PO by the end of week 21.The PO and the support team have 2wks to review and comment on the report, including recommendations as to which comparisons w/industry groups in the contractor_s database would be most meaningful to SSA executives. The contractor will use the comments to prepare the final report and briefing for the SSA Executive Staff. Deliverable 3: This deliverable is in two parts: The final report and briefing for the SSA Executive Staff. Copies of the material will be prepared for each Deputy Commissioner.The working papers the contractor used in gathering data from SSA plus any analyses shall be turned over to the PO. ADDITIONAL INFORMATION: It is believed that Atomic Tangerine located at 333 Ravenswood Avenue, Menlo Park, CA is the only responsible source capable of providing the described security benchmarking services. RFQ INSTRUCTIONS: The following provisions at FAR Part 52.212-1 Instructions to Offerors -- Commercial, applies to this acquisition: (b)1 through (b)9, (b)11, (c), (f), and (g). There are no addenda to these provisions. The provisions at FAR Part 52.212-2 Evaluation -- Commercial Items apply to this acquisition. The Government will award a purchase order resulting from this request for quotation to the responsible offeror whose offer conforming to this request will be most advantageous to the Government, price and other factors considered. The following factors, in descending order of importance, shall be used to evaluate offers: price, technical capability of the security benchmarking services being offered to meet the stated Government requirements, and past performance. A written notice of award or acceptance of an offer, mailed or otherwise furnished to the successful offeror within the time for acceptance specified in the offer, shall result in a binding contract without further action by either party. Before the offeror's specified expiration time, the Government may accept an offer, whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award. Offerors are advised to include a copy of the provision at FAR Part 52.212-3, Offeror Representations and Certifications -- Commercial Items, with their offer. The provisions at FAR Part 52.212-4, Contract Terms and Conditions -- Commercial Items, apply to this acquisition. There are no addenda to these provisions. The following provisions to Implement Statutes or Executive Orders -- Commercial Items (tailored), apply to this acquisition:(a)(1), (a)(2), (a) (3), (b)(1), (b)(11) through (b)(16),(b)(23), and (b)(25). Quotations in response to this request shall be submitted by September 11, 2000by 3:00 p.m. Eastern Daylight Time, to the address provided herein, to the attention of Monica M. Yankle.

Web Link

Visit this URL for the latest information about this (http://www2.eps.gov/cgi-bin/WebObjects/EPS?ACode=P&ProjID=SSA-RFQ-00-0710&LocID=2422)

Record

Loren Data Corp. 20000901/70SOL009.HTM (D-243 SN491741)