The FISMA Focus IPD

REQUEST FOR INFORMATION (RFI)
For the Department of Homeland Security (DHS)
National Protectorate and Programs Division (NPPD) National Cyber Security Program
Situational Awareness Incident Response (SAIR) Tier III Project.

This is a Request for Information (RFI) as identified in FAR 15.201 (c)(7). This is not a Request for Proposal (RFP). A solicitation is not being issued at this time, and this notice shall be not be construed as a commitment by the Government to issue a solicitation, nor does it restrict the Government to a particular acquisition approach.

The Department of Homeland Security (DHS) National Cyber Security Division is requesting industry feedback on existing Government product performance requirements involving the Situational Awareness Incident Response (SAIR) Tier III project. The objective of SAIR Tier III is to provide U.S. Government (USG) agencies the ability to assess, assure, monitor, and measure the security posture of their information technology (IT) assets in a timely manner (i.e., near-real time.) This RFI provides an opportunity for respondents to submit their ideas and initiatives related to this request. Additionally, respondents will have the opportunity to comment on the draft product performance requirements for SAIR III listed on Attachment 2.
The Government will evaluate industry feedback on Government SAIR III technical requirements then the Government may hold an industry day to answer any specific questions related to this RFI. The Government may use feedback that results from this RFI and industry day to further refine technical requirements to potentially establish qualified product list (QPL) for COTS products that can be utilized by federal, state, and local Governments for Information Security Continuous Monitoring.

If the development of a QPL results from this RFI, DHS NCSD will be responsible for managing the QPL in terms of testing and evaluating COTS products to ensure proposed products meet any developed SAIR III minimum technical requirements. This QPL will be developed for multiple federal agency use. Product acquisitions will be at the discretion of each individual agency. The potential QPL may be established as guidance to assist federal agencies in managing information system security capabilities across the federal civilian enterprise.

1. BACKGROUND:

The Information Systems Security Line of Business (ISSLOB) was created in 2005 to improve the level of information systems security across government by eliminating duplication of effort, increasing aggregate expertise and enhancing the overall security posture of the Federal Government. This value proposition is supported through the use of Shared Service Centers (SSC’s), consolidated acquisitions, agency standard practices and lessons learned across agencies.

In 2007, the ISSLOB launched a series of procurements under the Situational Awareness Incident Response (SAIR) Initiative. Based on guidance from the Federal Systems Security Governance Board (FSSGB), the oversight body of the ISSLOB, the SAIR procurements follow a tiered execution approach. The SAIR initiatives are aimed at providing an efficient, cost effective mechanism to deliver enhanced information system security capabilities across the federal civilian enterprise.

The cyber landscape in which federal agencies operate is a constantly changing and dynamic environment. Threats to the nation’s information security continue to evolve and government leaders have recognized the need for a modified approach in protecting our cyber infrastructure. The new approach moves away from historical compliance reporting toward combating threats to our nation’s networks on a real time basis. The tools and services delivered through the SAIR Tier III project will provide federal agencies with the ability to enhance/automate their existing continuous network monitoring capabilities, correlate and analyze critical security-related information, and enhance risk-based decision making at the agency and federal enterprise level. Information obtained from the automated monitoring tools will eventually feed CyberScope and allow for the correlation and analysis of security-related information across the federal enterprise.

2. SAIR III TECHNICAL REQUIREMENTS:

The capabilities sought for SAIR Tier III are:

1. Asset Management Tools. Products that provide the ability to document, track, and discover both authorized and unauthorized IT assets. Such as NIST-SCAP validated asset management tools.

2. Configuration Management Tools. Products that provide the ability to assess, monitor, and report compliance of agency-specified security configuration settings and patches, as well as real-time altering of changes to approved baseline configurations for hardware, software, user access and security controls. Such as NIST SCAP-validated FDCC scanners and authenticated configuration scanners.

3. Vulnerability Management Tools. Products that provide the ability to discover, identify, and locate known security vulnerabilities and software security weaknesses; and report the associated potential exposure risks using the Common Vulnerability Scoring System (CVSS) and the Common Weakness Scoring System (CWSS^TM). , For example: NIST SCAP-validated authenticated vulnerability & patch scanners, unauthenticated vulnerability scanners, source code security analyzers, web and database vulnerability scanners.

4. Malware Detection Tools. Products that provide the ability to discover, isolate, characterize, and report known malware for supporting agency’s security incident response process. Such as Malware Attribute Enumeration and Characterization (MAEC^TM) -compatible malware tools.

5. Situational Awareness Analysis and Reporting Tools. Products that provide the ability to collect, associate, compile, and report security posture metrics in terms of IT security governance and operational effectiveness. For example: The governance, risk, and compliance (GRC) reporting tools and FISMA security authorization management tools.

Where the capabilities are defined:

1. Asset Management Function: System functions that support the management of hardware and software inventory baseline by documenting, tracking, and discovery of agency-responsible IT assets (i.e., hardware, software, and virtualized configuration items); and to identify unauthorized IT assets.

2. Configuration Management Function: System functions that support the management of security configuration baseline by documenting and tracking compliance with agency-specified security configuration settings and software patches (i.e., compliance with Federal Desktop Core Configuration [FDCC], USG Configuration Baseline [USGCB], and Security Technical Implementation Guides [STIGs], etc.) This includes system functions that provide continuous real-time detection and alerting of unauthorized changes to baseline configurations for hardware, software, user access, and security controls for perimeter defense and the core IT operating environment.

3. Vulnerability Management Function: System functions that discover, identify, and locate known security vulnerabilities and software weaknesses (i.e., the Common Vulnerabilities and Exposures [CVE®] and the Common Weakness Enumeration [CWE^TM]); , and support the understanding of their associated potential exposure risks (i.e., metrics generated from the Common Vulnerability Scoring System [CVSS] and the Common Weakness Scoring System [CWSS^TM].)

4. Malware Detection Function: System functions that discover, identify, characterize, and locate known malware in a standard language (i.e., the Malware Attribute Enumeration and Characterization [MAEC^TM]) for supporting agency’s incident response process.

5. Situational Awareness Analysis and Report Function: System functions that collect, associate, compile, and report metrics that support analysis in the understanding of security posture in terms of IT security governance and operational effectiveness.”

This Request for Information (RFI) addresses the ISSLOB’s information systems security need for tools to support a continuous monitoring capability.

The draft performance requirements these tools must possess can be found in the attached document, SAIR III Product Performance Requirements for Information Security Continuous Monitoring.

3. RFI PURPOSE AND LIMITATIONS:

Responses to this RFI are not offers and shall not be accepted by the Government to form a binding contract. The responses to this RFI may be used to assist the Government in further refining SAIR III technical requirements and potentially establishing a QPL.
Per Federal Acquisition Regulation (FAR) Part 10 – Market Research, this RFI is posted for data gathering and Planning Purpose only. It does not constitute a solicitation, and shall not be construed as a commitment by the Government to issue a solicitation or award a contract. The Government will not reimburse any respondent for any costs associated with information submitted in response to this RFI. Industry feedback is vitally important and the Government will be receptive to any and all ideas received from industry. This RFI is an expression of the Government’s interest only and does not obligate the Government to pay for the requested information nor respond to any submissions. Proprietary information is not being solicited; however, if it is submitted, highlight and clearly mark those sections with “proprietary information”. Submissions received from respondents to this RFI will not be returned.

4. RESPONSES TO THIS RFI:

FAR Provision 52.215-3 is hereby incorporated in full text:
52.215-3 Request for Information or Solicitation for Planning Purposes (OCT 1997)

a. The Government does not intend to award a contract on the basis of this solicitation or to otherwise pay for the information solicited except as an allowable cost under other contracts as provided in subsection 31.205-18, Bid and proposal costs, of the Federal Acquisition Regulation.

b. Although “proposal” and “offeror” are used in this Request for Information, your response will be treated as information only. It shall not be used as a proposal.

c. This solicitation is issued for the purpose of: [Not Applicable, this is an RFI]
(End of provision)

Please provide comments to the proposed requirements listed in the attached spreadsheets. The response spreadsheets are organized by SAIR Tier III specified functions: Asset Management, Configuration Management, Vulnerability Management, Malware Detection, GRC, and FISMA. Please provide response accordingly. If your product provides multiple functions, then respond with multiple response forms. When suggesting an edit to existing requirement text, please provide supporting rationale. If suggesting a change to the requirement’s criticality, please indicate the proposed degree (Must, Shall, Should, May) with supporting rationale.
Please limit your formal white paper submission to no more than two (2) pages, not including the cover letter or the comments provided in the requirements worksheet. Responders’ submission should address the following questions:

a. Are you willing to submit your products, software, appliance, etc for testing if the Government chooses to conduct a series of validation tests?

b. What suggestions, beyond what you have commented on the requirements sheets, would you make to the government regarding the capabilities sought? Feel free to share insights.

Technical questions and industry responses shall be submitted electronically via email to Contract Specialist, Tanisha Walcott. The contact information is provided below:
Tanisha Walcott
202-447-0612
Tanisha.Walcott@hq.dhs.gov

Include in the Email Subject line: RFI-OPO-12-0001, SAIR Tier III.

Any requests for additional information or explanations concerning this RFI must be received no later than Wednesday December 28, 2011 at 12:00 noon Eastern Standard Time. These requests should be submitted electronically to Tanisha.Walcott@dhs.gov.
Responses must be received no later than Wednesday, January 25, 2012 at 12:00 noon Eastern Standard Time. All material submitted in response to this RFI must be unclassified and properly marked.

I. LIST OF ATTACHMENTS:
1. Requirements Worksheets.
2. Draft SAIR Tier III Product Performance Requirements for Information Security Continuous Monitoring, Version 1.0.
3. Continuous Monitoring and Risk Scoring (CM/RS) Concept of Operations (CONOPS) for Supporting Agency Cyber Security Operations, Version 1.0.
Note that Attachment 3 is provided as background information and does not require vendor comments.
 

The purpose of this amendment is to replace the pdf files with excel  spreadsheets to facilitate editing and other changes under Attachment 1 and consolidating multiple PDF files under Attachment 2.

Attachment 1 – Requirements Worksheets is amended to delete the following pdf files: Asset Management Tool, Configuration Management Tool, FISMA Security Authorization management Tool, Governance Risk and Compliance management Tool, Malware Detection Tool, and Vulnerability Management Tool. The deleted files in Attachment 1 are replaced with the following excel spreadsheets: Vendor_Response_Form_Asset_Management Tool_v1 1, Vendor_Response_Form_Configuration_Management_Tool_v1 1, Vendor_ Response_Form_FISMA_SA_Tool_v1 1, Vendor_Response_Form_GRC_Tool_v1 1, Vendor_Response_Form_Malware_Tool_v1 1, and Vendor_Response_Form_Vulnerability_Management_Tool_v1 1

Attachment 2-Draft SAIR Tier III Product Performance Requirements for Information Security Continuous Monitoring is amended to delete the following files: SAIR Tier III Product Performance Requirements for Information Security Continuous Monitoring part 1, SAIR Tier III Product Performance Requirements for Information Security Continuous Monitoring part 2, and SAIR Tier III Product Performance Requirements for Information Security Continuous Monitoring part 3. The deleted pdf files under Attachment 2 are consolidated under one pdf file (SAIR III_Requirements _v1 1-1).

Attachment 3 CMRS_CONOPS_CyberOps v10 Final remains unchanged.