Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF NOVEMBER 18, 2007 FBO #2183
SOURCES SOUGHT

70 -- SSA Seeking Sources Capable of Providing an Enterprise Solution for Database Security Compliance

Notice Date
11/16/2007
 
Notice Type
Sources Sought
 
NAICS
541511 — Custom Computer Programming Services
 
Contracting Office
Social Security Administration, Office of Budget, Finance, and Management, Office of Acquisition and Grants, 1st Floor, Rear Entrance 7111 Security Blvd., Baltimore, MD, 21244, UNITED STATES
 
ZIP Code
00000
 
Solicitation Number
Reference-Number-SSA-SSS-ENTDATA-CS
 
Response Due
12/3/2007
 
Archive Date
12/18/2007
 
Point of Contact
Cynthia Spencer, Contract Specialist, Phone 4109653369, Fax 4109659560, - Cynthia Spencer, Contract Specialist, Phone 4109653369, Fax 4109659560
 
E-Mail Address
cynthia.spencer@ssa.gov, cynthia.spencer@ssa.gov
 
Description
BACKGROUND: The President?s Management Agenda (PMA), Office of Management and Budget (OMB) and the Federal Information Security Management Act (FISMA) require Federal Agencies to develop and implement policies and procedures to secure agency information systems. The Social Security Administration (SSA) is seeking a vendor who can provide a comprehensive, integrated enterprise solution for database security and compliance, assist SSA in improving the security posture of the SSA database environment, and provide compliance with relevant FISMA, NIST and OMB M-6-16 requirements. SSA will use the database security solution to ensure that 1) systems are securely configured and that accurate and timely knowledge of configuration changes and new vulnerabilities within the database are reported and corrected; and, 2) systems are continually monitored for the purpose of identifying and responding to unauthorized or potentially dangerous activity. MANDATORY EVALUATION REQUIREMENTS: SSA is requesting that vendors respond to all general and technical requirements. All responses will be used as evaluation criteria in determining the most suitable solution for SSA?s environment. Any additional response will be evaluated as ?additional consideration? and weighted appropriately. Solutions that require more than one vendor to perform all tasks should have an integration document included. The integration document will be evaluated as a level of effort in comparison to a single vendor, fully integrated solutions. For example, if a database scanning solution is being integrated with a network monitoring solution, an integration document would detail the steps required to have the individual components operate successfully as a single solution. This would also include any steps required to meet criteria such as ?solution must have the ability to automate the process of creating database activity monitoring and auditing policies based on the discovered vulnerability scan results?. GENERAL REQUIREMENTS THE SELECTED VENDOR MUST HAVE: A) a proven history of similar installations in other U.S. Federal government agencies ? specifically, the solution must have been deployed within a U.S. Federal government agency in similar scale to SSA; B) demonstrable technical expertise and background in database security research; C) a demonstrable track record of consistent and regular, delivery of database vulnerability and exploit signature updates. TECHNICAL REQUIREMENTS, THE SOLUTION MUST: 1) provide policy mapping to Federal standards approved database checklists, supporting the automation of compliance-testing; 2) be SCAP compatible or have a documented roadmap to achieve SCAP compatibility within a period not greater than six months; 3) It is highly desirable that the solution provide integration with ASSERT FISMA reporting tool; 4) provide pre-defined best-practices policies, including but not limited to policies for CIS, FISMA, DISA, HIPAA, and SOX; 5) The solution shall currently be Common Criteria Certified or currently ?In Process? for Common Criteria Certification; 6) be CVE compatible as described within NIST Special Publication 800-51 - Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming; 7) support integrated enterprise-wide database discovery; 8) support integrated database vulnerability scanning and assessment; 9) support integrated network-based database intrusion detection, with real-time database activity monitoring, database auditing; 10) support integrated customizable reporting and industry standard integration interfaces for third party security and enterprise management systems (SIMS/SEMS); 11) have the ability to automate the process of creating Database Activity monitoring and Auditing policies based on the discovered Vulnerability scan results; 12) introduce minimal performance impact on the existing database system and network environment; 13) minimize false positives and be based on a policy model; 14) Solution must be able to detect complex attacks and threats such as SQL injection attacks, buffer overflow exploits etc.; 15) be able to identify misuse and malicious behavior; 16) be deployable without requiring modification to the associated application infrastructure or reconfiguration of the SSA network infrastructure; 17) provide recommended remediation information and/or compensating controls implementation; 18) Shall have the ability to monitor and audit the data extraction of sensitive information contained in SSA databases; 19) Shall perform real-time alerting of potentially malicious or un-authorized behavior at the database access level; 20) include database vulnerability information and database activity and audit reporting; 21) provide ?Progress Reports? to show vulnerability remediation and compensating controls implementation progress; 22) provide report on vulnerabilities for which compensating IDS monitoring provisions have been implemented. (e.g. vulnerabilities which have been discovered in the past but since have been remediated and no longer exist); 23) System must possess the ability to perform both authenticated and non-authenticated vulnerability assessments of the database; 24) System should allow for customization of policy usage based on the level of access to the host device (e.g. If authenticated access run policy A, if unauthenticated run policy B); 25) System shall discover and inventory all databases in the SSA IT environment including databases package with other software packages (e.g. MSDE and MySQL); 26) provide support for the following platforms: a) Oracle, b) Microsoft SQL Server (MySQL, MSDE), c) IBM DB2, including z/OS; 27) Solution must scale to support thousands of databases; 28) have a centrally managed console to support multiple users/administrators with role based access to enforce separation of duties; 29) integrate with Active Directory for user authentication; 30) employ an agent-less scanning capability for database discovery, sensitive data discovery, database pen-testing and database configuration audits; 31) support vendor provided vulnerability updates and exploit signatures via an automated update delivery mechanism; 32) support zero-knowledge database discovery; 33) discover and identify weak passwords and default vendor supplied passwords; 34) allow for customization of the vulnerability severity level with persistence to change under any vendor supplied update scenario; 35) allow for creation of custom database vulnerability checks and allow for the incorporation of the custom checks into the standard product knowledgebase with full knowledgebase editing capability with full persistence to change under any vendor supplied update scenario; 36) support both host-based activity monitoring agents and network-based activity monitoring agents, but NOT require both in order to achieve the SSA desired level of monitoring of privileged user activity (e.g. for performance consideration only); 37) be able to monitor for access to sensitive data, while optionally allowing for the suppression of that data being stored in the monitoring system?s backend database itself; 38) Solution?s activity monitoring and intrusion detection system must be policy-based and include standard canned policies developed around the Federal regulatory standards defined above and allow for assignment of policies by target database system; 39) Solution?s intrusion detection capability must support rules and exploit signatures for detection of common vulnerabilities with the ability to auto-generate policies based on the discovered vulnerabilities; 40) provide the ability to create custom monitoring rules and filters and make custom rules available for addition to standard or custom policies; 41) provide a GUI or wizard to create the custom rules and filters and the ability to edit existing filters; 42) allow for the custom definition of action to be taken if a rule or filter triggers (e.g. high alert, notification only, audit data only, etc.); 43) support both single occurrence alert conditions and multi-occurrence interval based alerting; 44) support industry standard mechanisms and interfaces for alert and message notification to third party management systems including, SNMP and SMTP; 45) have a report writing and reporting capability; 46) provide for scheduled report generation and distribution via e-mail 47) accept direct import of the existing SSA database inventory information, vulnerability knowledgebase and configuration knowledgebase; 48) be able to initiate from a Command Line Interface (CLI) as well as a GUI or have a documented roadmap to achieve this compatibility within a period not greater than six months; 49) be IPv6 compatible or have a documented roadmap to achieve this compatibility within a period not to surpass September 30, 2008; and 50) provide telephone hotline support during normal business hours. Responses must be specific as to the product proposed. NOTE: Vendors must provide verifiable proof of Section 508 Compliancy in sufficient detail to demonstrate their ability to meet the Agency?s requirement, see URL site http://www.section508.gov/ . This is not a request for proposal and the Government does not intend to pay for information submitted. The Government will not award a contract based on responses received; however, SSA will use this information to assess capable sources. Vendors that believe they can offer a technically complaint product should submit information concerning their product?s capabilities. Detailed responses to each of the above requirements (with substantiating documentation) are required. Respondents should indicate whether their software is available on GSA Federal Supply Schedules or any other Government-wide Agency Contract (GWAC). SSA will not consider simple marketing information or an incomplete response. SSA will not consider reference to vendor web sites as a valid response. Any firm deeming the capability of providing a product that meets the requirements listed above must submit their response electronically and be received by 3: 00 p.m. EST on December 3, 2007. SSA will not accept faxed information. The size limitation for email attachments is 10 megabytes. MS Word is the Agency?s standard word processing software. SSA will not provide acknowledgement of response received. Respondents should refer to SSA-SSS-ENTDATA-CS.
 
Place of Performance
Address: National Computer Center, 6201 Security Blvd., Baltimore, MD
Zip Code: 21235
Country: UNITED STATES
 
Record
SN01454230-W 20071118/071116231608 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.