Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JUNE 17, 2004 FBO #0934
MODIFICATION

D -- IT Certification & Accreditation

Notice Date
6/15/2004
 
Notice Type
Modification
 
NAICS
541690 — Other Scientific and Technical Consulting Services
 
Contracting Office
Department of Agriculture, Agricultural Research Service, Acquisition and Property Division, Acquisition Branch (MD), 5601 Sunnyside Avenue, Building 3, Mailstop: 5116, Beltsville, MD, 20705
 
ZIP Code
20705
 
Solicitation Number
04-3K06-021
 
Response Due
6/22/2004
 
Archive Date
7/7/2004
 
Point of Contact
John Chadwick, Contract Specialist, Phone 301-504-1732, Fax 301-504-1717, - Dennis Foley, Supervisory Contract Specialist, Phone 631-323-3397, Fax 631-323-3295,
 
E-Mail Address
jchadwick@ars.usda.gov, dfoley@piadc.ars.usda.gov
 
Small Business Set-Aside
Total Small Business
 
Description
Attached hereto are questions and answers to RFQ No. 04-3K06-021. (1) Q: Is the requirement for 215 individual C&A's to be prepared? Or, is there a possibility that several systems can be combined in a single C&A? A: The requirement is for 213 individual C&A?s to be prepared. No, they cannot be combined. (2) Q: Please confirm that the completion date for this work is September 30, 2004. My understanding was that agencies had until September 30, 2005 to complete their C&A's. A: Requiring activity confirmed that the completion date for all work is September 30, 2004. (3) Q: What is the breakdown of the 213 systems and applications? How many are General Support Systems (GSS)? Major Applications (MA) /non-MAs? Low impact systems? A: 200 General Support Systems, 13 Non-major applications, all are low impact systems. (4) Q: What operating systems/software is used on these systems and applications? How many are non-COTS applications? A: Most General Support Systems are a combination of Windows, UNIX and LINUX, and MAC. The Operating Systems vary widely with a mix of versions. For example, Windows 2003, Windows 2000 and Windows NT are in use to support agency public Web sites, Windows XP, Windows 2000, Windows NT, and Windows 95/98 exists on agency desktops. (5) Q: Does ARS expect the contractor to develop Security Plans, Risk Assessments and ST&E documentations or just review those already in place? A: The contractor shall perform the risk assessments, review existing plans, perform security evaluations, etc., as stated in the SOW. (6) Q: Will any travel to the 100 locations be required? A: No travel to the sites will be required. Communication and coordination activities will be conducted by phone and e-mail as needed. (7) Q: Have any of the systems or applications already been Accredited, or received Interim Authorization to Operate? If so, how many? A: The agency systems have been not been accredited. (8) Q: Please clarify the intent of Paragraph 2.0 Scope that states that the ?contractor shall develop detailed instructions, templates, and boilerplates ?? Is this a task under this solicitation or merely background? If a task, what is needed beyond the OCIO templates and instructions described in paragraph 3.2? A: This is background. Contractor is only required to perform the tasks identified in the SOW. However, the contractor may use a variety of tools to accomplish these tasks, like checklists or pre-defined interview questionnaires. (9) Q: How many Security Plans will have to be reviewed for task 3.2? If Security Plans for any of the 213 systems do not exist, is the contractor expected to develop them? A: All 213 plans exist and shall be reviewed. (10) Q: How many self-assessments will have to be reviewed for task 3.3? Do self-assessments follow NIST SP 800-26 format? Will the contractor have to perform any Initial Risk Assessments as indicated in the paragraph heading or merely review existing self-assessments? A: All systems require a self-assessment following NIST SP 800-26 guidance. (11) Q: How many ST&E will have to be reviewed for task 3.4? A: All systems shall have an ST&E to verify security controls in accordance with NIST SP 800-37 guidance. (12) Q: How many Interconnectivity Support Agreements (ISAs) will need to be developed for task 3.5? A: It is estimated that one third of agency networks do not use the USDA network as an internet Service Provider (ISP). These networks are generally connected to local university campuses. A standard MOU template may be created and used to meet this requirement. (13) Q: Please clarify what is required for task 3.4. The first sentence states the contractor will review documents to determine if risk is acceptable. Does the government have an acceptability criterion that should be used? A: The National Institute of Standards and Technology (NIST) Special Publications related to Security and Certification and Accreditation shall be followed. (14) Q: The second sentence (Task 3.4) states that vulnerabilities should be documented in a POA&M. Does this mean the contractor should document vulnerabilities identified in Security Plans, self-assessments and ST&Es in a POA&M or something else? A: The contractor shall document vulnerabilities identified in system security plans, self-assessments, and ST&E?s. (15) Q: The third section (Task 3.4) describes tools and methods that can be used to determine if vulnerabilities exist. Are these tools that were used to help develop the Security Plans, self-assessments and ST&Es or tools the contractor should use to determine if vulnerabilities exist? A: These are tools the contractor may use to determine if vulnerabilities exist. (16) Q: Have any Risk Assessments (NIST SP 800-30 or other format) been conducted for any of these systems and applications? A: An initial risk assessment to determine security categorization and system boundaries has been performed and will not be required by this contract. (17) Q: Who will schedule interviews with ARS system personnel, if necessary? How soon after task initiation will documentation be made available to the contractor? A: Interviews with agency system administrators will be coordinated between the contractor and Agency IT Security Specialist. System documentation will be provided within 5 business days following task initiation. (18) Q: Does ARS currently have a Configuration Control Board, (CCB)? A: No. (19) Q: Has a DAA been appointed? A: Yes, DAA?s have been identified for all systems. (20) Q: Does the C&A include the enterprise network, workstations (PC's), mail servers, file servers, and print servers? A: Yes the C&A includes all agency networks and applications. At present, agency sites manage networks locally. (21) Q: How many servers are used to support the 213 systems? A: Varies depending on the location. (22) Q: Which phases of the C&A process are required by this RFQ? A: All phases as prescribed in NIST SP 800-37 shall be followed. (23) Q: Are any of the self-assessments completed on any of the systems? A: Approximately, 70 self-assessments will be completed by July 1, 2004. (24) Q: How many of the 213 systems are "low impact" systems per the definitions of the USDA C&A procedures referenced in the synopsis? A: All systems have been evaluated by ARS senior management and have been categorized as low impact in accordance with Federal Information Processing Standard (FIPS) 199. (25) Q: 2.0 Scope says, "The contractor shall develop detailed instructions, to ** assist ** ARS system administrators to create documentation and complete tasks that meets USDA's requirements for certification and accreditation." (Emphasis added) Please confirm or clarify that the deliverable of "complete tasks" is dependent on USDA personnel participation in a timely and professional manner. How many such personnel are available, for how many hours over what period of time? A: Agency resources will be available to complete tasks as needed between June and September 2004 during normal business hours. (26) Q: Scope 3.3. Confirm that the contractor shall review all 213 self-assessments. Or - for low-impact systems, the methods & procedures need only be described by the contractor; the actual review will be carried out by other personnel. In which case the review is NOT a deliverable, rather a document describing the methods and procedures IS the deliverable for low-impact systems. A: The contractor shall conduct the self-assessments and is responsible for reviewing the security plans and self-assessments. (27) Q: Scope 3.4. If a system is low-impact, is the self-review SUFFICIENT to meet the needs of the Test requirement in this paragraph? If not, how many vulnerability scans might be needed to satisfy the OCIO and other requirements? A: NIST SP 800-37 guidance related to Security and Certification and Accreditation of ?low impact? systems shall be followed. (28) Q: Scope 3.5. Confirm that only the standard "Interconnectivity" document needs to be developed and that USDA will cause the negotiations with the ISP's to happen at some later date. A: Yes, a standard template document shall be developed. Formal negotiations regarding the ?interconnectivity agreements? will be performed at a future date. This task shall be reflected in the agencies POA&M and is not included in the scope of this contract. (29) Q: Under section 8.0 PLACE OF PERFORMANCE, all the work is asked to be done in Beltsville or at the contractor's site. Are all 213 systems located locally or the contractor has access to the packages locally? Are we simply assisting to verify the contents and the quality of the packages for all these systems? A: The contractor will be provided access to all existing system documentation. The contractor is responsible for completing the documentation outlined in the SOW. (30) Q: Is all of the documentation such as self-assessments, etc, available for all of the systems? A: No. System security plans exist but have not been updated this year. No other documentation currently exists. (31) Q: Paragraph 3.4 Security Test and Evaluations ? Has the ST&E been conducted on all the systems by another vendor? If so, the assumption is that the vendor on this contract will be reviewing the results of that ST&E. Is this correct? A: No ST&E has been performed. The contractor shall review ST&E results when they are completed. (32) Q: Paragraph 3.3 Perform Initial Risk Assessment ? Have initial risk assessments other than self-assessments been performed as required by the C&A guidance? If not, is the intent of this section that the vendor performs a risk assessment of each system? A: Initial risk assessments have been completed. Self-assessments have not been performed. Contractor shall conduct the self-assessments and analyze the results in security evaluation reports that document vulnerabilities and weaknesses. (33) Q: Second Paragraph of Section 2.0 states that, "ARS currently has 100 research locations including a few in other countries. The contractor shall provide security consultation and technical support to ARS to complete C&A activities for all of its Major/Non-Major Applications and General Support Systems, consisting of local area networks and web farms geographically located across the United States at ARS Area Offices and field locations." However, Section 8, states that "All work shall be performed at the George Washington Carver Center (GWCC) located in Beltsville, Maryland, or the contractor's facility." Is it possible for all ST&E activities to be performed from the GWCC location for all MAs and GSSs under this SOW, including any manual configuration testing and interviewing of key technical individuals? A: Yes, the ST&E for agency systems can be conducted from the GWCC location. Since the systems are low impact, the Agency will be conducting self-assessments, and performing vulnerability scans to meet ST&E requirements.
 
Place of Performance
Address: USDA, George Washington Carver Center (GWCC), 5601 Sunnyside Ave, Beltsville, MD
Zip Code: 20705
Country: US
 
Record
SN00603371-W 20040617/040615211545 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.