Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Situational Awareness Incident Response (SAIR) Tier III Project and Industry Day Notice.

Solicitation Number: RFI-OPO-12-0001
Agency: Department of Homeland Security
Office: Office of the Chief Procurement Officer
Location: Office of Procurement Operations
  • Print

Note:

There have been modifications to this notice. To view the most recent modification/amendment, click here
:
RFI-OPO-12-0001
:
Modification/Amendment
:
Added: Nov 23, 2011 4:36 pm Modified: Dec 07, 2011 3:53 pmTrack Changes
REQUEST FOR INFORMATION (RFI)
For the
Department of Homeland Security (DHS)
National Protectorate and Programs Division (NPPD) National Cyber Security Program
Situational Awareness Incident Response (SAIR) Tier III Project.


This is a Request for Information (RFI) as identified in FAR 15.201 (c)(7). This is not a Request for Proposal (RFP). A solicitation is not being issued at this time, and this notice shall be not be construed as a commitment by the Government to issue a solicitation, nor does it restrict the Government to a particular acquisition approach.



The Department of Homeland Security (DHS) National Cyber Security Division is requesting industry feedback on existing Government product performance requirements involving the Situational Awareness Incident Response (SAIR) Tier III project. The objective of SAIR Tier III is to provide U.S. Government (USG) agencies the ability to assess, assure, monitor, and measure the security posture of their information technology (IT) assets in a timely manner (i.e., near-real time.) This RFI provides an opportunity for respondents to submit their ideas and initiatives related to this request. Additionally, respondents will have the opportunity to comment on the draft product performance requirements for SAIR III listed on Attachment 2.


The Government will evaluate industry feedback on Government SAIR III technical requirements then the Government may hold an industry day to answer any specific questions related to this RFI. The Government may use feedback that results from this RFI and industry day to further refine technical requirements to potentially establish qualified product list (QPL) for COTS products that can be utilized by federal, state, and local Governments for Information Security Continuous Monitoring.


If the development of a QPL results from this RFI, DHS NCSD will be responsible for managing the QPL in terms of testing and evaluating COTS products to ensure proposed products meet any developed SAIR III minimum technical requirements. This QPL will be developed for multiple federal agency use. Product acquisitions will be at the discretion of each individual agency. The potential QPL may be established as guidance to assist federal agencies in managing information system security capabilities across the federal civilian enterprise.


1. BACKGROUND:


The Information Systems Security Line of Business (ISSLOB) was created in 2005 to improve the level of information systems security across government by eliminating duplication of effort, increasing aggregate expertise and enhancing the overall security posture of the Federal Government. This value proposition is supported through the use of Shared Service Centers (SSC's), consolidated acquisitions, agency standard practices and lessons learned across agencies.
In 2007, the ISSLOB launched a series of procurements under the Situational Awareness Incident Response (SAIR) Initiative. Based on guidance from the Federal Systems Security Governance Board (FSSGB), the oversight body of the ISSLOB, the SAIR procurements follow a tiered execution approach. The SAIR initiatives are aimed at providing an efficient, cost effective mechanism to deliver enhanced information system security capabilities across the federal civilian enterprise.
The cyber landscape in which federal agencies operate is a constantly changing and dynamic environment. Threats to the nation's information security continue to evolve and government leaders have recognized the need for a modified approach in protecting our cyber infrastructure. The new approach moves away from historical compliance reporting toward combating threats to our nation's networks on a real time basis. The tools and services delivered through the SAIR Tier III project will provide federal agencies with the ability to enhance/automate their existing continuous network monitoring capabilities, correlate and analyze critical security-related information, and enhance risk-based decision making at the agency and federal enterprise level. Information obtained from the automated monitoring tools will eventually feed CyberScope and allow for the correlation and analysis of security-related information across the federal enterprise.


2. SAIR III TECHNICAL REQUIREMENTS:


The capabilities sought for SAIR Tier III are:


1. Asset Management Tools. Products that provide the ability to document, track, and discover both authorized and unauthorized IT assets. Such as NIST-SCAP validated asset management tools.
2. Configuration Management Tools. Products that provide the ability to assess, monitor, and report compliance of agency-specified security configuration settings and patches, as well as real-time altering of changes to approved baseline configurations for hardware, software, user access and security controls. Such as NIST SCAP-validated FDCC scanners and authenticated configuration scanners.
3. Vulnerability Management Tools. Products that provide the ability to discover, identify, and locate known security vulnerabilities and software security weaknesses; and report the associated potential exposure risks using the Common Vulnerability Scoring System (CVSS) and the Common Weakness Scoring System (CWSSTM). , For example: NIST SCAP-validated authenticated vulnerability & patch scanners, unauthenticated vulnerability scanners, source code security analyzers, web and database vulnerability scanners.
4. Malware Detection Tools. Products that provide the ability to discover, isolate, characterize, and report known malware for supporting agency's security incident response process. Such as Malware Attribute Enumeration and Characterization (MAECTM) -compatible malware tools.
5. Situational Awareness Analysis and Reporting Tools. Products that provide the ability to collect, associate, compile, and report security posture metrics in terms of IT security governance and operational effectiveness. For example: The governance, risk, and compliance (GRC) reporting tools and FISMA security authorization management tools.


Where the capabilities are defined:


1. Asset Management Function: System functions that support the management of hardware and software inventory baseline by documenting, tracking, and discovery of agency-responsible IT assets (i.e., hardware, software, and virtualized configuration items); and to identify unauthorized IT assets.
2. Configuration Management Function: System functions that support the management of security configuration baseline by documenting and tracking compliance with agency-specified security configuration settings and software patches (i.e., compliance with Federal Desktop Core Configuration [FDCC], USG Configuration Baseline [USGCB], and Security Technical Implementation Guides [STIGs], etc.) This includes system functions that provide continuous real-time detection and alerting of unauthorized changes to baseline configurations for hardware, software, user access, and security controls for perimeter defense and the core IT operating environment.
3. Vulnerability Management Function: System functions that discover, identify, and locate known security vulnerabilities and software weaknesses (i.e., the Common Vulnerabilities and Exposures [CVE®] and the Common Weakness Enumeration [CWETM]); , and support the understanding of their associated potential exposure risks (i.e., metrics generated from the Common Vulnerability Scoring System [CVSS] and the Common Weakness Scoring System [CWSSTM].)
4. Malware Detection Function: System functions that discover, identify, characterize, and locate known malware in a standard language (i.e., the Malware Attribute Enumeration and Characterization [MAECTM]) for supporting agency's incident response process.
5. Situational Awareness Analysis and Report Function: System functions that collect, associate, compile, and report metrics that support analysis in the understanding of security posture in terms of IT security governance and operational effectiveness."


This Request for Information (RFI) addresses the ISSLOB's information systems security need for tools to support a continuous monitoring capability.
The draft performance requirements these tools must possess can be found in the attached document, SAIR III Product Performance Requirements for Information Security Continuous Monitoring.


3. RFI PURPOSE AND LIMITATIONS:


Responses to this RFI are not offers and shall not be accepted by the Government to form a binding contract. The responses to this RFI may be used to assist the Government in further refining SAIR III technical requirements and potentially establishing a QPL.


Per Federal Acquisition Regulation (FAR) Part 10 - Market Research, this RFI is posted for data gathering and Planning Purpose only. It does not constitute a solicitation, and shall not be construed as a commitment by the Government to issue a solicitation or award a contract. The Government will not reimburse any respondent for any costs associated with information submitted in response to this RFI. Industry feedback is vitally important and the Government will be receptive to any and all ideas received from industry. This RFI is an expression of the Government's interest only and does not obligate the Government to pay for the requested information nor respond to any submissions. Proprietary information is not being solicited; however, if it is submitted, highlight and clearly mark those sections with "proprietary information". Submissions received from respondents to this RFI will not be returned.


4. RESPONSES TO THIS RFI:


FAR Provision 52.215-3 is hereby incorporated in full text:


52.215-3 Request for Information or Solicitation for Planning Purposes (OCT 1997)


a. The Government does not intend to award a contract on the basis of this solicitation or to otherwise pay for the information solicited except as an allowable cost under other contracts as provided in subsection 31.205-18, Bid and proposal costs, of the Federal Acquisition Regulation.
b. Although "proposal" and "offeror" are used in this Request for Information, your response will be treated as information only. It shall not be used as a proposal.
c. This solicitation is issued for the purpose of: [Not Applicable, this is an RFI]
(End of provision)
Please provide comments to the proposed requirements listed in the attached spreadsheets. The response spreadsheets are organized by SAIR Tier III specified functions: Asset Management, Configuration Management, Vulnerability Management, Malware Detection, GRC, and FISMA. Please provide response accordingly. If your product provides multiple functions, then respond with multiple response forms. When suggesting an edit to existing requirement text, please provide supporting rationale. If suggesting a change to the requirement's criticality, please indicate the proposed degree (Must, Shall, Should, May) with supporting rationale.


Please limit your formal white paper submission to no more than two (2) pages, not including the cover letter or the comments provided in the requirements worksheet. Responders' submission should address the following questions:
a. Are you willing to submit your products, software, appliance, etc for testing if the Government chooses to conduct a series of validation tests?
b. What suggestions, beyond what you have commented on the requirements sheets, would you make to the government regarding the capabilities sought? Feel free to share insights.


Technical questions and industry responses shall be submitted electronically via email to Contract Specialist, Tanisha Walcott. The contact information is provided below:


Tanisha Walcott
202-447-0612
Tanisha.Walcott@hq.dhs.gov



Include in the Email Subject line: RFI-OPO-12-0001, SAIR Tier III.


Any requests for additional information or explanations concerning this RFI must be received no later than Wednesday December 28, 2011 at 12:00 noon Eastern Standard Time. These requests should be submitted electronically to Tanisha.Walcott@dhs.gov.


Responses must be received no later than Friday, January 20, 2012 at 12:00 noon Eastern Standard Time. All material submitted in response to this RFI must be unclassified and properly marked.



I. LIST OF ATTACHMENTS:


1. Requirements Worksheets.
2. Draft SAIR Tier III Product Performance Requirements for Information Security Continuous Monitoring, Version 1.0.
3. Continuous Monitoring and Risk Scoring (CM/RS) Concept of Operations (CONOPS) for Supporting Agency Cyber Security Operations, Version 1.0.


Note that Attachment 3 is provided as background information and does not require vendor comments.


 
Industry Day Notice :

The Department of Homeland Security (DHS) Federal Network Security (FNS) Branch will conduct one (1) Situational Awareness and Incident Response (SAIR) Tier III Industry Day session at The MITRE Corporation on January 13, 2012 at 10:30 AM. Entrance will be permitted from 9:00 AM.


The purpose of the SAIR Tier III Industry Day is to provide an opportunity for interested parties to become more familiar with the requirements presented in the SAIR Tier III Request for Information (RFI), ask questions, and provide feedback. Attendance at SAIR Tier III Industry Day is NOT a requirement and does not affect any company submitting a response to the RFI.


Pre-registration is MANDATORY for the SAIR Tier III Industry Day. Registration will close on January 6, 2012 at https://register.mitre.org/sair.

 Walk-ins will not be admitted. Due to space limitations, no more than two (2) representatives from each vendor team will be permitted to attend. Foreign nationals are not permitted.


The SAIR Tier III Industry Day will be held on
January 13, 2012 at:
The MITRE Corporation
MITRE 1 Building Auditorium
7525 Colshire Drive
McLean, VA 22102-7539


Directions to the facility can be found at:
http://www.mitre.org/about/locations/va_mclean_mitre1.html.


Entrance and check-in are through the MITRE 1 Building South Lobby. Attendees MUST present picture identification (drivers license or state ID) matching the name on their registration to be issued a temporary visitor badge for the duration of SAIR Tier III Industry Day. Attendees are advised to allow time for check-in, which will begin at 9:00 AM.


The schedule for the SAIR Tier III Industry Day follows:
9:00 - 10:30 Arrival
10:30 - 10:45 Welcome
10:45 - 12:00 Requirements presentation
12:00 - 12:30 Qualified Products List (QPL) presentation
12:30 - 1:30 Break for lunch (not provided, cafeteria on-site)
1:30 - 3:30 Panel question/answer session
3:30 - 3:45 Recap


 

:
Office of the Chief Procurement Officer
Washington, District of Columbia 20528
United States
:
Washington DC

United States
:
Tanisha L. Walcott,
Contract Specialist
Phone: 2024470612
:
Robert Degnan,
Contracting Officer
Phone: 202-447-5576
Fax: 202-447-5725