MOD | D | IA Certification & Accredatation Process

FBO DAILY ISSUE OF SEPTEMBER 24, 2009 FBO #2861
MODIFICATION

D -- IA Certification & Accredatation Process

Notice Date: 9/22/2009
Notice Type: Modification/Amendment
NAICS: 541519 — Other Computer Related Services
Contracting Office: Department of the Air Force, Air Mobility Command, Headquarters AMC Contracting, 402 Scott Drive, Unit 2A2, Scott AFB, Illinois, 62225-5320, United States
ZIP Code: 62225-5320
Solicitation Number: EVSC1000
Archive Date: 10/31/2009
Point of Contact: micheal Mcmiller, Phone: 618 229-6271, micheal McMiller, Phone: 618 229-6271
E-Mail Address: meicheal.mcmiller@us.af.mil, micheal.mcmiller@us.af.mil
(meicheal.mcmiller@us.af.mil, micheal.mcmiller@us.af.mil)
Small Business Set-Aside: N/A
Description: OFFADD: AFNIC/EV 203 W. Losey St, Rm. 1100, Scott AFB IL 62225-5200 SUBJECT: REQUEST FOR INFORMATION DESC: This announcement constitutes a Request for Information (RFI) synopsis. This is not a Request for Proposal. Information obtained as a result of this synopsis is for planning purposes only. It does not constitute an invitation for sealed bid or request for proposal (RFP), nor is it to be construed as a commitment to develop by the government. All inquiries must be sent to: AFNIC.EV@us.af.mil. or michael.mcmiller@us.af.mil (618) 229 5589, (FAX (618) 229-6839 or tracy braadshaw@scott.af.mil 229-6328.The government is currently conducting a market survey and analysis of government-off-the-shelf (GOTS) and commercial off-the-shelf (COTS) products that can meet the requirements to support automation of the certification and accreditation (C&A) process based on the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) for the Department of the Air Force (AF). The C&A process is designed to ensure that IT systems operate at an acceptable risk level, with reduced exposure to threats, and identified vulnerabilities are sufficiently mitigated. C&A provides standardization, increased confidence, lower level of risk, and reduced cost. DoD policy states that all DoD IT systems maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability that reflects a balance among the importance and sensitivity of the information and information assets. It includes documented threats and vulnerabilities; the trustworthiness of users and interconnecting systems; the impact of impairment or destruction to the DoD IT system; and cost effectiveness. The evolution of C&A and the advent of enterprise-level drivers resulted in the creation of the DoD Information Assurance Certification and Accreditation Process (DIACAP). The goals of net-centricity across the DoD have transformed the way Information Assurance (IA) is achieved to facilitate assured information sharing, accelerated decision making, improved Joint warfighting, and the ability to dynamically exchange system-security credentials. The DIACAP is a dynamic, IA C&A process that supports and complements the net-centric, Global Information Grid (GIG)-based environment. The DIACAP establishes a standard process for: • Identifying, implementing, and validating standardized IA Controls • Authorizing the operation of DoD information systems • Managing an IA posture across the DoD information system life cycle The Air Force Network Integration Center (AFNIC) is seeking information regarding a GOTS or COTS solution to automate the AF C&A process based on DIACAP based on policy guidance in, AF Instruction (AFI) 33-210, Air Force Certification and Accreditation Program (AFCAP). The objective of this RFI is to solicit information regarding a GOTS or COTS product that will be able to perform the total DIACAP integration service, i.e. the design, development, deployment, and support of DIACAP. RFI responses should attempt to address the capabilities described above. The desired set of requirements is listed in Appendix A. The requirements listed could be modified at any time after the RFI to reflect overall changes due to the current needs of the DoD and USAF, regulatory changes, and/or discoveries made during the RFI process, to enhance the requirements prior to any procurement effort. Appendix B contains a list of guiding authorities which shall be adhered to by any solution. Appendix C includes the definitions of key terms as used in this RFI. Once again, due to new regulations being published, current regulations being updated and/or refined, and the changing needs of the USAF, all requirements are subject to change prior to initiating any procurement process. At a minimum, a vendor's RFI submission should provide detailed information on how the proposed product would meet the requirements specified in Appendix A of this RFI and the cost associated with the product. Submission should provide a listing of any Air Force or Government agency (with POC) that is using the product. Any independent verification of vendor claims should also be provided. The response should also include specific answers to the following requests/questions: 1. Describe how sites, systems and users are registered and maintained and show the relationships between them. 2. Describe how the proposed product provides forms, templates and supports the creation and management of all required C&A documentation. 3. Describe the data management/data relationships in the proposed product to support multiple instances (versions) of a system, system installations at multiple sites or enclaves, and multiple C&A packages/accreditation decisions to each system, site and/or enclave. 4. Describe how the product supports the reuse of data from previous packages, stores multiple versions of a package and archives old versions. 5. Describe the proposed product's ability to import and export data in common formats. 6. Describe the proposed product's ability to set priorities for C&A packages. 7. How will the proposed product address the issue of multiple Enterprise Information Technology Data Repository (EITDR) numbers assigned to a single system/application? 8. How will the proposed product support C&A workflow activities, including but not limited to the ability to assign tasks, measure time (work and total), set deadlines, enter revisions, issue approvals and user notification functionality? 9. Describe the proposed product's reporting capability, including pre-defined and user defined reports and filters, support for performance metrics, trend reporting over a period of time, Federal Information Security Act of 2002 (FISMA) reporting requirements and product/portfolio management activities. 10. Describe the proposed product's architecture, including the required interfaces with existing GOTS C&A tools and support for classified C&A packages. Describe if architecture allows multiple server locations. 11. Describe the bandwidth requirements and the ability to work in various environments. 12. Describe the proposed product's support for secure login, data encryption and Unclassified Trusted Network Protect Policy (UTNPP) compliance. Preferred login is through the Air Force portal with credentials passed to the application. CAC assess is also required for those people who cannot interface through the portal. If neither of these capabilities is not already provided then discuss how passwords are implemented and compare to the password requirements in the Appendix A. 13. Describe the administration and training requirements needed to configure and operate the proposed product and reporting functions. What kind of support and/or training is available for the proposed product? 14. Provide examples of where the proposed product has been implemented successfully in other similar enterprises. (Include POC information for cited references). 15. Provide a recommended licensing strategy for implementation for 500 users, 1000 users and 2500+ users. Address 200 simultaneous users and 20,000 total users. Provide acquisition and support costs out to 5 years. Include any costs associated with procuring servers and support software such as the database software. If license tokens are proposed then provide a description of how these tokens are issued and if there are time restrictions on the tokens, for example, if the users are issued license tokens is the time restriction on the token modifiable before released back to system? 16. Describe options for data storage including any limits and recommended architecture for several alternatives. 17. Describe the ability to search data by user, date, field, and/or data elements. 18. Which of the requirements specified in Appendix A of this RFI will your proposed product be unable to meet? What alternative solutions are suggested to fulfill the AF's requirements? 19. Describe the installation and integration support and cost per user seat. Also provide costs for level 2 and level 3 product support. Installation prerequisites, including hardware requirements, operating system requirements (including recommended patch levels), and additional third-party software requirements shall be clearly identified in C&A Tool documentation. 20. Describe the process design environment. Is it based on a standard architecture (e.g. SharePoint Designer, Eclipse, Visual Studio, Oracle, etc.) to provide a familiar environment for developers? Does it incorporate common, familiar, and prevalent process design tools? 21. Does the solution proposed already have DIACAP certification in DoD? 22. Does the system support spell checking? 23. Describe the product's architecture requirements in terms of what database (Microsoft SQL Server/Access, Oracle, or proprietary etc) if any is used, what hardware (type of web server) and software (operating system software, UNIX, LINUX, etc) is required. 24. Describe how the product maintains continuity of operations in case of a point failure. 25. Password and CAC card compatibility: The C&A Tool shall enforce unique user identification and authentication prior to using the tool, preferably with CAC card compatibility. If not CAC, then passwords, which meet the requirements listed in Appendix A, shall be used. 26. Describe if the tool uses any third party code and if this code is proprietary. Vendors responding to this RFI who can make solutions available to the USAF are requested to provide a description of capabilities NLT 16 Oct 09 from publication of this notice. Potential vendors may express interest, make comments, and ask questions via electronic mail, phone call, or fax to the Air Force Network Integration Center, Information Assurance at AFNIC.EV@us.af.mil, (618) 229-6271, FAX (618) 229-6839. All comments and questions must be in writing and must identify the company source, contact person, e-mail address, and telephone number. Appendix A - Certification & Accreditation (C&A) Tool Requirements The following items describe the desired characteristics of an automated C&A product: 1. The ability to support Security discipline of USAF IT Lean process as described in AFPD 33-2, Information Assurance (IA) Program; AFI 33-210, Air Force Certification & Accreditation (C&A) Program (AFCAP); and the IT Lean Re-engineering Guidebook. 2. The ability to register information systems such as platform IT interconnections, outsourced IT, automated information systems (AIS), and enclaves. The C&A Tool shall support the evaluation of the security of the system or application architecture and design. 3. The ability to interface and exchange information with other DoD databases, including but not limited to the Enterprise Information Technology Data Repository (EITDR) and Enterprise Mission Assurance Support Service (eMASS). 4. Ability to import system data from EITDR. 5. Support for document management, including the ability to upload and download documents, associate documents with C&A packages, launch external applications associated with uploaded documents, and version control. Ability to change a document and update all references to it. Ability to automatically date stamp associated documents. Ability to reuse single document or diagram for multiple C&A questions. The C&A Tool shall have document control capability (check-in, check-out). The C&A Tool shall allow authorized users to delete document records they have created. 6. The ability to create and modify templates for entering data associated with packages, creation and modification of forms based on templates, the ability to edit, append, delete, view and search data on forms, and the ability to save history of all forms and data associated with a particular C&A package version. 7. The ability to separately relate data, forms and documents with multiple C&A packages along with the ability to transfer ownership of a package along with all of its associated data, forms and documents. The ability to share data between systems or packages. The C&A Tool shall allow Binary Large Object (BLOB) data type in the database. 8. Ability to reuse data from previous "predecessor" packages in new packages, store and maintain multiple versions of a package and archive old versions. The ability to delete packages if erroneously created. Ability to track C&A status of multiple versions of the same system. 9. The ability to import and export data associated with a C&A package. 10. Ability to store documents. 11. Ability to change a document and update all references to the document (or pick and choose from all references) and/or prompt for other modifications to the artifact or the reference point where stored. 12. The ability to prioritize C&A packages by Mission Assurance Code (MAC), expiration date, or other user-defined parameters. 13. The ability to link or associate multiple C&A packages. 14. The ability to associate EITDR and DoD Information Technology Portfolio Repository (DITPR) numbers with a C&A package. 15. Ability to autopopulate IA controls, implementation procedures, and validation procedures based on DIACAP Knowledge Service (KS). Ability to identify systemic weaknesses associated with non-compliant IA controls 16. Ability to add AF-unique IA controls. 17. Ability to limit IA controls required for a system to those relevant to system MAC and Criticality Level (CL). 18. Ability to support both inheritance of IA controls from other IT systems (originating system) and inheritability of IA controls by other IT systems (receiving system) with originating system owner concurrence. Ability to auto-populate inherited IA controls in inheriting system's C&A package. Ability to provide access to originating system's IA Control validation and certification results from receiving system. Ability to automatically answer and lock inherited controls. Ability to automatically notify owners of receiving systems if IA control response in the originating system changes. 19. Support for C&A workflow activities, including the ability to create and assign activities to users or groups of users, assign activities to C&A packages, assign status to C&A packages based on an activity, create triggers and/or time constraints for activities, and measure working and total time at each activity. Ability to trigger C&A workflow activities based on C&A submitting organization, package type and/or priority. Ability to query any field for data and time stamp. 20. The ability to notify users or groups of users when a time constraint has been exceeded, when status of a C&A package has changed or for other messaging needs. 21. Ability to automatically notify system owner and validators 6 months, 3 months, 2 months, and 1 month before annual review is due; provide weekly notifications for last three weeks; provide daily notifications for last week, and provide daily notifications each day after annual review is due. Ability to automatically cease notifications after annual review is complete. 22. Ability to automatically notify system owner and validators 1 year, 6 months, 3 months, 2 months, and 1 month before re-accreditation is due; provide weekly notifications for last three weeks; provide daily notifications for last week, and provide daily notifications each day after re-accreditation is due. Ability to automatically cease notifications after re-accreditation is complete. 23. Ability to automatically notify system owner and validators on expiration of other key metrics such as IT Security Plan of Action and Milestones (POA&M). 24. Ability to display IA control status using color codes; i.e., red = invalidated, yellow = validated but not approved, green = validated and approved. The C&A Tool shall support users performing qualitative risk assessments. 25. Ability to group controls by artifact/document; ability to track progress by artifact/document. The C&A Tool shall be able to reference C&A documents required at each milestone in the customer System Development Life Cycle process and provide a snapshot in time for the C&A efforts based on System Development Life Cycle process. 26. Ability to answer questions in a later IT Lean phase while awaiting approval of a previous phase. 27. Reporting capabilities, including the ability to create ad-hoc reports limited by user role, filter reports based on multiple criteria, trend reporting and support for Federal Information System Management Act (FISMA) reporting requirements. The C&A Tool shall provide a mechanism for cross-referencing to the IT system inventory in the Trusted Agent FISMA Tool. The C&A Tool shall provide the ability to view the status of all messages, notices, and tool alerts generated by the C&A Tool. The C&A Tool shall provide management reporting capability correlating to the e-Government scorecard (Red, Yellow, Green). The C&A Tool shall have the capability to generate reports that will provide status of the C&A documentation for a project. The C&A Tool shall allow the user to specify input parameters (e.g., fields, sort order) for reports. The C&A Tool shall have the capability to generate summary reports on the status of C&A activities by customer, by DAA, or by other specifiable grouping. The C&A Tool shall have the capability to produce performance metrics as defined by the customer. The C&A Tool shall provide the capability to provide alerts when completion dates for designated tasks have expired or are about to expire. 28. Ability to generate and update a DIACAP Executive Package and Comprehensive DIACAP Package, including System Identification Profile (SIP), DIACAP Implementation Plan (DIP), POA&M, and DIACAP Scorecard in format prescribed by DIACAP KS. Ability to generate FISMA report, and annual testing and review reports. Ability to track, store, access, and export documents for staffing and signature. 29. Ability to provide dashboard views of enterprise, portfolio, and system level statistics. The C&A Tool shall provide the ability to enter and retrieve point of contact information for all the projects. The C&A Tool shall provide the capability to specify when a section of a document is complete. The C&A Tool shall maintain status of system or application certifications and provide customizable recertification alerts. The C&A Tool shall track all messages, notices, alerts generated keeping track of the date, time, type of action (message, notice, alert), source, destination, required response date, actual response date, originator, and recipient. 30. Ability to automate POA&M review process. Ability to allow mission owner to negotiate POA&M and risk acceptance. Ability to permit resource owner input during POA&M development. Ability to provide POA&M tracking and status update. 31. Ability to produce System Security Plan in DoD-required format. 32. Ability to re-accredit versions of systems. 33. Ability to create a DIACAP package for systems that are being developed for non-AF entities that don't have to meet AF requirements. 34. A configurable web based client software that supports standard AF approved browsers and does not require any physical installation on the user's PC. Use only ports 80 and 443 for standard access. Installation prerequisites, including hardware requirements, operating system requirements (including recommended patch levels), and additional third-party software requirements clearly identified in software documentation. 35. Ability to download C&A packages, work on them off-line, and then re-upload them. The C&A Tool shall ensure that temporary files created by the C&A Tool shall be cleared after the user has logged off. 36. Ability to display information using a Graphical User Interface (GUI) front end with point and click functionality. 37. Ability to support both high- and low-bandwidth users. 38. Ability to support Public Key Infrastructure (PKI) and the cryptographic access requirements of AF network login, digital signatures, data encryption and be Unclassified Trusted Network Protect Policy /Classified Trusted Network Protect Policy (CTNPP) compliant. Ability to use PKI digital signatures for all output documents. 39. Ability to restrict user permission and access to portfolio structure to a need-to-know basis. Ability to view by user which permissions have been assigned. Ability to view by system which permissions have been assigned 40. Ability to support classified C&A packages up to the SECRET level. The system shall be designed to meet the security specifications necessary to operate on unclassified and classified networks. The system shall have the capability to force users to enter security markings on documents generated via classified networks. 41. Ability to import system vulnerability scans and associate scans to systems within C&A packages. The C&A Tool shall have the capability to support the importing of vulnerability assessments and of residual risk information. 42. Ability to expand or contract the number and type of controls (i.e., future integration of National Institute of Standards and Technology (NIST), Director of National Intelligence (DNI), or National Security Agency (NSA) controls). 43. Ability to transparently migrate systems during automated C&A product transitions (i.e. software version updates, process changes). 44 The ability to support multiple processes to accommodate different types of information systems (i.e.; information systems; standalone systems; platform IT; Research, Development, Test & Evaluation (RDT&E); platform interconnections; software applications; and processes). The ability to support changes to process or create new processes as the need arises. 45. The ability to track documents for staffing and signature. The ability to assign multiple organizations for staffing documents. The ability to approve, reject and sign a document. The C&A Tool shall provide the capability for electronic C&A approval. Ability for reviewers to flag specific portions of documents that led to rejection. The ability to store these documents. The ability to access and export documents. Ability to notify the system owner of the status of progress of the document through the staffing workflow and when rejected or signature assigned to document. The C&A Tool shall provide users with the ability to track the status of the work products assigned. 46. Ability to communicate mission owner acceptance of risk to the Designated Approval Authority (DAA). Ability to support multiple mission owners' risk acceptance for shared use information system. 47. Ability to track system configuration, interface, and system data entered in the tool's database changes. 48. Ability to establish an expandable organizational hierarchy. The C&A Tool shall support drill down capability for the viewing of C&A documents (typical directory structure). 49. Provide training support for all levels of users including program managers, portfolio managers, validators, and senior approval levels. Training should include on-line help, help desk, and documentation for both users and administrators, to include computer-based training (CBT). Provide updates to documentation, training, and CBTs as part of each software upgrade release or process change. The C&A Tool shall have tutorials for users to access online and via CBT. 50. Provide on-line help function. Provide help text on every entry to describe and explain expected answers. The C&A Tool shall provide embedded context-sensitive help. Provide updates to help function with each software upgrade release or process change. Vendor shall provide detailed C&A Tool documentation. 51. Ability to create, provide and modify templates and examples for artifacts required for C&A package completion. 52. Security: The C&A Tool shall allow for a repository of all information security requirements that can be selected based on customer requirements. The C&A Tool shall provide federal information security references. The C&A Tool shall provide a pre-determined list of references that may be edited and added to by the user. The C&A Tool shall contain a repository of information security requirements based upon best practices. The C&A Tool shall implement security requirements stated in NIST 800-53 and CNSS 1253 and support test procedures as outlined in NIST 800-53A and CNSS 1253A. The C&A Tool shall provide the capability to add, modify, and delete security requirements in the repository based upon assigned roles. The C&A Tool shall have the capability to identify security requirements as mandatory or recommended. The C&A Tool shall have the capability to determine what requirements are applicable based upon system or application criticality, sensitivity level of data, as well as integrity and availability requirements. The C&A Tool Security Requirements Reference shall present a baseline set of security requirements for a specific type of system or application. The C&A Tool shall provide the capability to include or exclude security requirements other than Automated Information System (AIS) security requirements such as physical, procedural, personnel, etc. for the specific system or application being certified and accredited. 53. Testing Documentation: The C&A Tool shall provide predefined security test procedures. The C&A Tool shall allow the entry of new security test procedures and test results. The C&A Tool shall provide suggested test activities for each certification level. The C&A Tool shall provide the capability to import test procedures and test results. The C&A Tool shall provide the capability to approve test plans and test procedures. The C&A Tool shall support analyses of test results. 54. The C&A Tool shall identify vulnerabilities of the system or application components and identify countermeasures. 55. The C&A Tool shall provide for an automatic generation of C&A documentation. The C&A Tool shall support the production of both on-line and hardcopy C&A documentation. 56. The Security Test and Evaluation (ST&E) process shall include the capability to document penetration testing by a third party. 57. The C&A Tool shall generate a risk assessment questionnaire based on the customer enterprise baseline security requirements, customer policy, and NIST guidance. The C&A Tool shall allow users to correlate policy, test plans, requirements, and risk in a consistent manner (e.g., map customer policy to produce a generated test plan or Security Requirements Traceability Matrix (SRTM) or map vulnerability information into a test plan). The C&A Tool shall compute a risk factor based on customer criteria. (Individual risk factors and weightings shall be customizable that are utilized to arrive at an overall risk factor.) 58. The C&A Tool shall support a capability to document system or application changes after certification and flag/identify re-certification. 59. The C&A Tool shall support full-text searching. It is desired that the full text capability also support the full text within the BLOBs, such as documents, stored in the data. The system shall provide a flexible search capability, including/providing: Fast searching using such technologies as indexing and crawling; return links to what's found; complex queries (variety of parameters/constraints, using Boolean expressions); results sorted in a variety of ways; refine searches; the system shall allow users to save searches for later use. 60. The C&A Tool shall be able to provide customer templates of Memorandum of Agreements (MOAs), Interconnection Security Agreements (ISAs) and Memorandum of Understandings (MOUs). 61. The C&A Tool shall support the development of NIACAP, DITSCAP, NIST 800-37, DCID 6/3C&A, CNSS 1253 C&A packages. The C&A Tool shall be able to develop System, Type, and Site C&A packages. 62. The C&A Tool shall support users performing quantitative risk assessments. 63. Customization: The C&A Tool shall permit customizable queries of the data. The C&A Tool shall allow the customer the capability to modify the questions and the weights assigned to each question in the certification questionnaire used to determine the certification level. The C&A Tool shall provide the capability to modify the weighting factor assigned to each security requirement in the data repository. The C&A Tool shall provide for customization of user visible structures and workflow processes. The C&A Tool shall allow customization of questions and users screens. The C&A Tool shall provide for the customization of C&A document templates. The C&A Tool shall allow for the development of custom reports. 64. Importing and Exporting Data: The C&A Tool shall allow import and export of data to pdf, html, xls, xlsx, ppt, pptx, doc, dosx, doc and xps files. The C&A Tool shall provide the capability to import inventory information from existing customer data repositories. 65. Vendor staff shall not be required to change forms or database structure. 66. Updates and Upgrades: Vendor shall provide an acceptable mechanism (e.g., ftp or CD) to obtain C&A Tool updates and enhancements within a closed environment. Vendor shall provide mechanisms for notifying customers when software upgrades and enhancements are available. Vendor shall issue updates to reflect changes to Federal C&A regulations within 90 days of enactment. The C&A Tool upgrades shall not affect customer tailored document templates. 67. How extensibleis the proposed solution? The C&A Tool shall be scalable enough to allow for ODNI environment. 68. The C&A Tool tables, screens, forms, templates, and items of that nature shall be customizable by the customer, not just the vendor. Do web forms support server-side business logic? What programming languages can be used to add intelligence to web based forms? Can digital signature blocks be easily incorporated into form templates? Can forms be pre-filled with data already stored in internal systems to minimize the number of fields a user must complete? Are forms able to connect to external data sources and dynamically incorporate data while being completed by the end user? 69. The C&A Tool shall provide a mechanism for cross-referencing to the IT system inventory in the Trusted Agent FISMA Tool. 70. The C&A Tool shall include capabilities to control and monitor the flow of documentation. The document repository shall facilitate standard naming conventions and version control within the repository. The C&A Tool shall provide for document/data recovery. The C&A Tool shall maintain draft versions of documentation until the system or application in question is accredited; then the C&A Tool shall have the capability to delete older draft versions. 71. The C&A Tool shall automatically perform version control and configuration management for documents created as part of a user's work products, including tracking indicating who made specific changes to a document. 72. Users will be restricted to one active logon session. The C&A Tool shall provide concurrency controls to prevent two people from working on the same document section at the same time (e.g. read-only access to a document currently being revised by someone else, read/write access to the customer authorized to make document edits). 73. The system shall provide the capability to archive information objects. The C&A Tool shall support archiving of older versions of C&A documents. The C&A Tool shall provide the capability to retrieve draft documents for review. The C&A Tool shall provide the capability for sections and/or entire documents to be accessible to other staff for completion or review. 74. The C&A Tool shall provide the capability for program managers or appropriate Certification Review Group personnel to review the completed C&A documents and approve for certification. The C&A Tool shall provide the capability to assign Program Managers, System or Application Owners, Analysts, ISSOs, and other security related personnel to project. The C&A Tool shall provide the capability to specify the amount of time allowed for completion of designated tasks (assignments, response to routed documents, etc.). The C&A Tool shall provide the capability to assign document sections to individual team members to complete. The C&A Tool shall store data to allow authenticated users the ability to input, track, and modify information on the certification and accreditation status of multiple projects simultaneously. 75. The C&A Tool shall provide the capability to view and track the C&A schedule in various calendar views (quarterly, monthly, weekly) allowing the user to set calendar properties. (Similar to MS Outlook schedules) The system shall provide an audit trail that captures: path an information object has traveled; tasks performed against the information object; person who performed each task; list of edits and annotations created for the information object; date and time each action was completed. The system shall record/store workflow routing actions, delegation, and/or sub assigning activity (what), date/time stamp information (when), and activity performer information (who). 76. The C&A Tool shall enforce referential integrity of the data repository. The C&A Tool shall not limit the size of the data repository. The C&A Tool shall provide the capability to enter and maintain data for completing all C&A documentation and appendices. The data repository shall be ODBC or JDBC compliant. 77. The C&A Tool shall maintain data for login/authentication. No data shall be accessible to end users from the data repository except via the C&A tool. The C&A Tool shall allow the user to login to the C&A Tool and authenticate once and then grant access to the functionality based on the roles assigned to the user. Once the user logs into the C&A Tool, the C&A Tool shall set his/her roles which shall remain for that logon session. Users shall be automatically locked out of the C&A Tool and have to re-authenticate after no more than 20 minutes of inactivity. The C&A Tool shall use HTTPS for transmission of sensitive data between clients and servers. The C&A Tool shall not require the use of mobile code. The C&A Tool shall have the capability to control access to documentation and appendices at the section level. The C&A Tool shall provide the capability to assign access rights for sections of the project at the activity and document section level. 78. The system shall allow users to print copies of all information objects to include tasks, staff actions, search results, templates, reports, and related metadata on network and local printers. 79. The C&A Tool shall not be constrained from being available on a 24/7 basis. The C&A Tool shall provide for the inherent ability for fault tolerant server processing. 80. The system shall comply with the Workforce Investment Act of 1998, Section 508, Electronic and Information Technology by following the relevant guidance established in section 1194.22 of the Electronic and Information Technology Accessibility Standards Document. 81. As discussed earlier, the preferred login in method is integration with the Air Force portal where credentials can be passed to the application. CAC assess is also required for those people who cannot interface through the portal. If neither of these capabilities is not provided then discuss how passwords are implemented and compare to the password requirements in the AFSSI 8520. If this is not available, then password protection should be provided. This protection should meet the following requirements: 82. What mechanisms does the proposed solution provide to simplify the process of completing complex forms? Are users able to save a copy of a filled-in form to their local file system? Can data entered into forms be automatically extracted without requiring manual processing? Can end users easily attach supporting documents to forms so that all relevant information may be submitted as a single package? Does a mechanism exist to force the user to use the current version of the form even if a user has an older version of a form stored on their hard drive? Can watermarks be auto-generated on each page of the document; "Classified / Non-Classified" for example? 83. The application should be XML compatible, capable of importing and exporting data in XML format. Describe what protocols are support for submitting form data (HTTP, HTTPS, SOAP, email). 84. Content should be rendered to a variety of optional formats, such as PDF, PCL, and PostScript in addition to the XML mentioned previously. 85. The system shall have the ability to interface with MS Exchange/Outlook when alerts are sent out. The system shall use the existing Air Force Directory Services (e.g., Microsoft Exchange, Active Directory, Global Address List (GAL)) to obtain address information. 86. With regard to information objects stored in their native format, the "native" application associated with an information object shall be automatically launched from within the system when the user opens the object for viewing or editing. The system should permit users to view a representation of a document for which the user does not have the native application. Appendix B - Guiding Authorities for Air Force Certification & Accreditation (C&A) DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), 28 Nov 07 AFPD 33-2, Information Assurance (IA) Program, 19 Apr 07 AFI 33-210, Air Force Certification & Accreditation (C&A) Program (AFCAP), 23 Dec 08 Draft IT Lean Re-engineering Guidebook, Version 6.0, 25 Oct 08 Appendix C - Certification & Accreditation (C&A) Acronyms & Definitions Acronyms AF - Air Force AFCA - Air Force Communications Agency AFCAP - Air Force Certification & Accreditation Program AFI - Air Force Instruction AFPD - Air Force Policy Document AIS - Automated Information Systems C&A - Certification and Accreditation CBT - Computer-based Training CL - Criticality Level COTS - Commercial-off-the-shelf CTNPP - Classified Trusted Network Protect Policy DAA - Designated Accrediting/Approval Authority DIACAP - DoD Information Assurance Certification and Accreditation Process DIP - DIACAP Implementation Plan DITPR - DoD Information Technology Portfolio Repository DNI - Director of National Intelligence DoD - Department of Defense EITDR - Enterprise Information Technology Data Repository eMASS - Enterprise Mission Assurance Support Service FISMA - Federal Information Security Act of 2002 GIG - Global Information Grid GOTS -Government-off-the-shelf GUI - Graphical User Interface IA - Information Assurance IT - Information Technology KS - Knowledge Service MAC - Mission Assurance Code NIST - National Institute of Standards and Technology NSA - National Security Agency PC - Personal Computer PKI - Public Key Infrastructure POA&M - Plan of Action and Milestones POC - Point of Contact RDT&E - Research, Development, Test & Evaluation RFI - Request for Information RFP - Request for Proposal SIP - System Identification Profile UTNPP - Unclassified Trusted Network Protect Policy Definitions Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD Information System (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. Artifacts. System policies, documentation, plans, test procedures, test results, and other evidence that express or enforce the information assurance (IA) posture of the DoD IS, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls. Assigned IA Controls. The set of IA controls that a given DoD IS must address to achieve an adequate IA posture. Consist of baseline IA controls plus any augmenting IA controls. Denial of Authorization to Connect-AF-GIG DAA determination that an IS cannot connect to the AF-GIG because of an inadequate IA design, failure to adequately implement assigned IA Controls, or other lack of adequate security If the IS is already connected, the connection of the IS is terminated. DIACAP Implementation Plan (DIP). Contains the IS's assigned IA controls. The plan also includes the implementation status, responsible entities, resources, and the estimated completion date for each assigned IA control. The plan may reference applicable supporting implementation material and artifacts. DIACAP Knowledge Service (KS). A Web-based repository of information and tools for implementing the DIACAP that is maintained through the DIACAP Technical Advisory Group (TAG). DIACAP Package. The collection of documents or collection of data objects generated through DIACAP implementation for an IS. A DIACAP package is developed through implementing the activities of the DIACAP and maintained throughout a system's life cycle. Information from the package is made available as needed to support an accreditation or other decision such as a connection approval. There are two types of DIACAP packages: The Comprehensive Package contains all of the information connected with the certification of the IS. It includes the System Identification Profile (SIP), the DIACAP Implementation Plan (DIP), the Supporting Certification Documentation, the DIACAP Scorecard, and the IT Security POA&M, if required. The Executive Package contains the minimum information for an accreditation decision. It contains the SIP, the DIACAP Scorecard, and the IT Security POA&M, if required. DIACAP Scorecard. A summary report that succinctly conveys information on the IA posture of a DoD IS in a format that can be exchanged electronically. It shows the implementation status of a DoD IS's assigned IA controls (i.e., compliant (C), non compliant (NC), or not applicable (NA)) as well as the C&A status. DoD Information Assurance Certification and Accreditation Process (DIACAP). The DoD process for identifying, implementing, validating, certifying, and managing IA capabilities and services, expressed as IA controls, and authorizing the operation of DoD ISs, including testing in a live environment, in accordance with statutory, Federal, and DoD requirements. DoD Information Technology Portfolio Repository Enterprise IT Data Repository (EITDR). The Air Force database of record for registering all systems and applications as required by public law and DoD directives. Registration in the EITDR is mandatory for all systems and applications developed by the Air Force, or for which the Air Force is the lead agency, or that requires connection to the AF-GIG. The EITDR is also the database of record for IT statutory and regulatory compliance. The repository contains compliance data for Information Assurance (IA), Internet Protocol version 6 (IPv6), Public Key Enabling (PKE), Clinger-Cohen Act, etc. It is the primary data source for Federal Information Security Management Act (FISMA) reporting and the principal vehicle for gathering and storing system and application data to support planned and ad hoc data calls. The EITDR contains information about program management; system and application interfaces; networthiness; funding; Capital Investment Reports (CIRs) and other supporting data to facilitate IT portfolio management. Interim Authorization to Operate (IATO). A temporary authorization to operate a DoD IS under the conditions or constraints enumerated in the accreditation decision. Interim Authorization to Test (IATT). A temporary authorization to test a DoD IS in a specified operational information environment or with live data for a specified time period within the timeframe and under the conditions or constraints enumerated in the accreditation decision. IT Security Plan of Action and Milestones (POA&M). A permanent record that identifies tasks to be accomplished in order to resolve security weaknesses. Required for any accreditation decision that requires corrective actions, it specifies resources required to accomplish the tasks enumerated in the plan and milestones for completing the tasks. Also used to document DAA-accepted non-compliant IA controls and baseline IA controls that are not applicable. An IT Security POA&M may be active or inactive throughout a system's life cycle as weaknesses are newly identified or closed. Mission Assurance Category (MAC). Applicable to DoD information systems, the mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. Mission assurance categories are primarily used to determine the requirements for availability and integrity. The Department of Defense has three defined mission assurance categories: Mission Assurance Category I (MAC I). Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most stringent protection measures. Mission Assurance Category II (MAC II). Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best practices to ensure adequate assurance. Mission Assurance Category III (MAC III). Systems handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. MAC III systems require protective measures, techniques or procedures generally commensurate with commercial best practices. Validation. Activity applied throughout the system's life cycle to confirm or establish by testing, evaluation, examination, investigation, or competent evidence that a DoD IS's assigned IA controls are implemented correctly and are effective in their application. Validator. Entity responsible for conducting a valiOFFADD: AFNIC/EV 203 W. Losey St, Rm. 1100, Scott AFB IL 62225-5200 SUBJECT: REQUEST FOR INFORMATION DESC: This announcement constitutes a Request for Information (RFI) synopsis. This is not a Request for Proposal. Information obtained as a result of this synopsis is for planning purposes only. It does not constitute an invitation for sealed bid or request for proposal (RFP), nor is it to be construed as a commitment to develop by the government. All inquiries must be sent to: AFNIC.EV@us.af.mil. (618) 229 6271, (FAX (618) 229-6839. The government is currently conducting a market survey and analysis of government-off-the-shelf (GOTS) and commercial off-the-shelf (COTS) products that can meet the requirements to support automation of the certification and accreditation (C&A) process based on the Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) for the Department of the Air Force (AF). The C&A process is designed to ensure that IT systems operate at an acceptable risk level, with reduced exposure to threats, and identified vulnerabilities are sufficiently mitigated. C&A provides standardization, increased confidence, lower level of risk, and reduced cost. DoD policy states that all DoD IT systems maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability that reflects a balance among the importance and sensitivity of the information and information assets. It includes documented threats and vulnerabilities; the trustworthiness of users and interconnecting systems; the impact of impairment or destruction to the DoD IT system; and cost effectiveness. The evolution of C&A and the advent of enterprise-level drivers resulted in the creation of the DoD Information Assurance Certification and Accreditation Process (DIACAP). The goals of net-centricity across the DoD have transformed the way Information Assurance (IA) is achieved to facilitate assured information sharing, accelerated decision making, improved Joint warfighting, and the ability to dynamically exchange system-security credentials. The DIACAP is a dynamic, IA C&A process that supports and complements the net-centric, Global Information Grid (GIG)-based environment. The DIACAP establishes a standard process for: • Identifying, implementing, and validating standardized IA Controls • Authorizing the operation of DoD information systems • Managing an IA posture across the DoD information system life cycle The Air Force Network Integration Center (AFNIC) is seeking information regarding a GOTS or COTS solution to automate the AF C&A process based on DIACAP based on policy guidance in, AF Instruction (AFI) 33-210, Air Force Certification and Accreditation Program (AFCAP). The objective of this RFI is to solicit information regarding a GOTS or COTS product that will be able to perform the total DIACAP integration service, i.e. the design, development, deployment, and support of DIACAP. RFI responses should attempt to address the capabilities described above. The desired set of requirements is listed in Appendix A. The requirements listed could be modified at any time after the RFI to reflect overall changes due to the current needs of the DoD and USAF, regulatory changes, and/or discoveries made during the RFI process, to enhance the requirements prior to any procurement effort. Appendix B contains a list of guiding authorities which shall be adhered to by any solution. Appendix C includes the definitions of key terms as used in this RFI. Once again, due to new regulations being published, current regulations being updated and/or refined, and the changing needs of the USAF, all requirements are subject to change prior to initiating any procurement process. At a minimum, a vendor's RFI submission should provide detailed information on how the proposed product would meet the requirements specified in Appendix A of this RFI and the cost associated with the product. Submission should provide a listing of any Air Force or Government agency (with POC) that is using the product. Any independent verification of vendor claims should also be provided. The response should also include specific answers to the following requests/questions: 19. Describe how sites, systems and users are registered and maintained and show the relationships between them. 20. Describe how the proposed product provides forms, templates and supports the creation and management of all required C&A documentation. 21. Describe the data management/data relationships in the proposed product to support multiple instances (versions) of a system, system installations at multiple sites or enclaves, and multiple C&A packages/accreditation decisions to each system, site and/or enclave. 22. Describe how the product supports the reuse of data from previous packages, stores multiple versions of a package and archives old versions. 23. Describe the proposed product's ability to import and export data in common formats. 24. Describe the proposed product's ability to set priorities for C&A packages. 25. How will the proposed product address the issue of multiple Enterprise Information Technology Data Repository (EITDR) numbers assigned to a single system/application? 26. How will the proposed product support C&A workflow activities, including but not limited to the ability to assign tasks, measure time (work and total), set deadlines, enter revisions, issue approvals and user notification functionality? 27. Describe the proposed product's reporting capability, including pre-defined and user defined reports and filters, support for performance metrics, trend reporting over a period of time, Federal Information Security Act of 2002 (FISMA) reporting requirements and product/portfolio management activities. 28. Describe the proposed product's architecture, including the required interfaces with existing GOTS C&A tools and support for classified C&A packages. Describe if architecture allows multiple server locations. 29. Describe the bandwidth requirements and the ability to work in various environments. 30. Describe the proposed product's support for secure login, data encryption and Unclassified Trusted Network Protect Policy (UTNPP) compliance. Preferred login is through the Air Force portal with credentials passed to the application. CAC assess is also required for those people who cannot interface through the portal. If neither of these capabilities is not already provided then discuss how passwords are implemented and compare to the password requirements in the Appendix A. 31. Describe the administration and training requirements needed to configure and operate the proposed product and reporting functions. What kind of support and/or training is available for the proposed product? 32. Provide examples of where the proposed product has been implemented successfully in other similar enterprises. (Include POC information for cited references). 33. Provide a recommended licensing strategy for implementation for 500 users, 1000 users and 2500+ users. Address 200 simultaneous users and 20,000 total users. Provide acquisition and support costs out to 5 years. Include any costs associated with procuring servers and support software such as the database software. If license tokens are proposed then provide a description of how these tokens are issued and if there are time restrictions on the tokens, for example, if the users are issued license tokens is the time restriction on the token modifiable before released back to system? 34. Describe options for data storage including any limits and recommended architecture for several alternatives. 35. Describe the ability to search data by user, date, field, and/or data elements. 36. Which of the requirements specified in Appendix A of this RFI will your proposed product be unable to meet? What alternative solutions are suggested to fulfill the AF's requirements? 19. Describe the installation and integration support and cost per user seat. Also provide costs for level 2 and level 3 product support. Installation prerequisites, including hardware requirements, operating system requirements (including recommended patch levels), and additional third-party software requirements shall be clearly identified in C&A Tool documentation. 20. Describe the process design environment. Is it based on a standard architecture (e.g. SharePoint Designer, Eclipse, Visual Studio, Oracle, etc.) to provide a familiar environment for developers? Does it incorporate common, familiar, and prevalent process design tools? 21. Does the solution proposed already have DIACAP certification in DoD? 22. Does the system support spell checking? 23. Describe the product's architecture requirements in terms of what database (Microsoft SQL Server/Access, Oracle, or proprietary etc) if any is used, what hardware (type of web server) and software (operating system software, UNIX, LINUX, etc) is required. 24. Describe how the product maintains continuity of operations in case of a point failure. 25. Password and CAC card compatibility: The C&A Tool shall enforce unique user identification and authentication prior to using the tool, preferably with CAC card compatibility. If not CAC, then passwords, which meet the requirements listed in Appendix A, shall be used. 26. Describe if the tool uses any third party code and if this code is proprietary. Vendors responding to this RFI who can make solutions available to the USAF are requested to provide a description of capabilities NLT 16 Oct 09 from publication of this notice. Potential vendors may express interest, make comments, and ask questions via electronic mail, phone call, or fax to the Air Force Network Integration Center, Information Assurance at AFNIC.EV@us.af.mil, (618) 229-6271, FAX (618) 229-6839. All comments and questions must be in writing and must identify the company source, contact person, e-mail address, and telephone number. Appendix A - Certification & Accreditation (C&A) Tool Requirements The following items describe the desired characteristics of an automated C&A product: 1. The ability to support Security discipline of USAF IT Lean process as described in AFPD 33-2, Information Assurance (IA) Program; AFI 33-210, Air Force Certification & Accreditation (C&A) Program (AFCAP); and the IT Lean Re-engineering Guidebook. 2. The ability to register information systems such as platform IT interconnections, outsourced IT, automated information systems (AIS), and enclaves. The C&A Tool shall support the evaluation of the security of the system or application architecture and design. 3. The ability to interface and exchange information with other DoD databases, including but not limited to the Enterprise Information Technology Data Repository (EITDR) and Enterprise Mission Assurance Support Service (eMASS). 4. Ability to import system data from EITDR. 5. Support for document management, including the ability to upload and download documents, associate documents with C&A packages, launch external applications associated with uploaded documents, and version control. Ability to change a document and update all references to it. Ability to automatically date stamp associated documents. Ability to reuse single document or diagram for multiple C&A questions. The C&A Tool shall have document control capability (check-in, check-out). The C&A Tool shall allow authorized users to delete document records they have created. 6. The ability to create and modify templates for entering data associated with packages, creation and modification of forms based on templates, the ability to edit, append, delete, view and search data on forms, and the ability to save history of all forms and data associated with a particular C&A package version. 7. The ability to separately relate data, forms and documents with multiple C&A packages along with the ability to transfer ownership of a package along with all of its associated data, forms and documents. The ability to share data between systems or packages. The C&A Tool shall allow Binary Large Object (BLOB) data type in the database. 8. Ability to reuse data from previous "predecessor" packages in new packages, store and maintain multiple versions of a package and archive old versions. The ability to delete packages if erroneously created. Ability to track C&A status of multiple versions of the same system. 9. The ability to import and export data associated with a C&A package. 10. Ability to store documents. 11. Ability to change a document and update all references to the document (or pick and choose from all references) and/or prompt for other modifications to the artifact or the reference point where stored. 12. The ability to prioritize C&A packages by Mission Assurance Code (MAC), expiration date, or other user-defined parameters. 13. The ability to link or associate multiple C&A packages. 14. The ability to associate EITDR and DoD Information Technology Portfolio Repository (DITPR) numbers with a C&A package. 15. Ability to autopopulate IA controls, implementation procedures, and validation procedures based on DIACAP Knowledge Service (KS). Ability to identify systemic weaknesses associated with non-compliant IA controls 16. Ability to add AF-unique IA controls. 17. Ability to limit IA controls required for a system to those relevant to system MAC and Criticality Level (CL). 18. Ability to support both inheritance of IA controls from other IT systems (originating system) and inheritability of IA controls by other IT systems (receiving system) with originating system owner concurrence. Ability to auto-populate inherited IA controls in inheriting system's C&A package. Ability to provide access to originating system's IA Control validation and certification results from receiving system. Ability to automatically answer and lock inherited controls. Ability to automatically notify owners of receiving systems if IA control response in the originating system changes. 19. Support for C&A workflow activities, including the ability to create and assign activities to users or groups of users, assign activities to C&A packages, assign status to C&A packages based on an activity, create triggers and/or time constraints for activities, and measure working and total time at each activity. Ability to trigger C&A workflow activities based on C&A submitting organization, package type and/or priority. Ability to query any field for data and time stamp. 20. The ability to notify users or groups of users when a time constraint has been exceeded, when status of a C&A package has changed or for other messaging needs. 21. Ability to automatically notify system owner and validators 6 months, 3 months, 2 months, and 1 month before annual review is due; provide weekly notifications for last three weeks; provide daily notifications for last week, and provide daily notifications each day after annual review is due. Ability to automatically cease notifications after annual review is complete. 22. Ability to automatically notify system owner and validators 1 year, 6 months, 3 months, 2 months, and 1 month before re-accreditation is due; provide weekly notifications for last three weeks; provide daily notifications for last week, and provide daily notifications each day after re-accreditation is due. Ability to automatically cease notifications after re-accreditation is complete. 23. Ability to automatically notify system owner and validators on expiration of other key metrics such as IT Security Plan of Action and Milestones (POA&M). 24. Ability to display IA control status using color codes; i.e., red = invalidated, yellow = validated but not approved, green = validated and approved. The C&A Tool shall support users performing qualitative risk assessments. 25. Ability to group controls by artifact/document; ability to track progress by artifact/document. The C&A Tool shall be able to reference C&A documents required at each milestone in the customer System Development Life Cycle process and provide a snapshot in time for the C&A efforts based on System Development Life Cycle process. 26. Ability to answer questions in a later IT Lean phase while awaiting approval of a previous phase. 27. Reporting capabilities, including the ability to create ad-hoc reports limited by user role, filter reports based on multiple criteria, trend reporting and support for Federal Information System Management Act (FISMA) reporting requirements. The C&A Tool shall provide a mechanism for cross-referencing to the IT system inventory in the Trusted Agent FISMA Tool. The C&A Tool shall provide the ability to view the status of all messages, notices, and tool alerts generated by the C&A Tool. The C&A Tool shall provide management reporting capability correlating to the e-Government scorecard (Red, Yellow, Green). The C&A Tool shall have the capability to generate reports that will provide status of the C&A documentation for a project. The C&A Tool shall allow the user to specify input parameters (e.g., fields, sort order) for reports. The C&A Tool shall have the capability to generate summary reports on the status of C&A activities by customer, by DAA, or by other specifiable grouping. The C&A Tool shall have the capability to produce performance metrics as defined by the customer. The C&A Tool shall provide the capability to provide alerts when completion dates for designated tasks have expired or are about to expire. 28. Ability to generate and update a DIACAP Executive Package and Comprehensive DIACAP Package, including System Identification Profile (SIP), DIACAP Implementation Plan (DIP), POA&M, and DIACAP Scorecard in format prescribed by DIACAP KS. Ability to generate FISMA report, and annual testing and review reports. Ability to track, store, access, and export documents for staffing and signature. 29. Ability to provide dashboard views of enterprise, portfolio, and system level statistics. The C&A Tool shall provide the ability to enter and retrieve point of contact information for all the projects. The C&A Tool shall provide the capability to specify when a section of a document is complete. The C&A Tool shall maintain status of system or application certifications and provide customizable recertification alerts. The C&A Tool shall track all messages, notices, alerts generated keeping track of the date, time, type of action (message, notice, alert), source, destination, required response date, actual response date, originator, and recipient. 30. Ability to automate POA&M review process. Ability to allow mission owner to negotiate POA&M and risk acceptance. Ability to permit resource owner input during POA&M development. Ability to provide POA&M tracking and status update. 31. Ability to produce System Security Plan in DoD-required format. 32. Ability to re-accredit versions of systems. 33. Ability to create a DIACAP package for systems that are being developed for non-AF entities that don't have to meet AF requirements. 34. A configurable web based client software that supports standard AF approved browsers and does not require any physical installation on the user's PC. Use only ports 80 and 443 for standard access. Installation prerequisites, including hardware requirements, operating system requirements (including recommended patch levels), and additional third-party software requirements clearly identified in software documentation. 35. Ability to download C&A packages, work on them off-line, and then re-upload them. The C&A Tool shall ensure that temporary files created by the C&A Tool shall be cleared after the user has logged off. 36. Ability to display information using a Graphical User Interface (GUI) front end with point and click functionality. 37. Ability to support both high- and low-bandwidth users. 38. Ability to support Public Key Infrastructure (PKI) and the cryptographic access requirements of AF network login, digital signatures, data encryption and be Unclassified Trusted Network Protect Policy /Classified Trusted Network Protect Policy (CTNPP) compliant. Ability to use PKI digital signatures for all output documents. 39. Ability to restrict user permission and access to portfolio structure to a need-to-know basis. Ability to view by user which permissions have been assigned. Ability to view by system which permissions have been assigned 40. Ability to support classified C&A packages up to the SECRET level. The system shall be designed to meet the security specifications necessary to operate on unclassified and classified networks. The system shall have the capability to force users to enter security markings on documents generated via classified networks. 41. Ability to import system vulnerability scans and associate scans to systems within C&A packages. The C&A Tool shall have the capability to support the importing of vulnerability assessments and of residual risk information. 42. Ability to expand or contract the number and type of controls (i.e., future integration of National Institute of Standards and Technology (NIST), Director of National Intelligence (DNI), or National Security Agency (NSA) controls). 43. Ability to transparently migrate systems during automated C&A product transitions (i.e. software version updates, process changes). 44 The ability to support multiple processes to accommodate different types of information systems (i.e.; information systems; standalone systems; platform IT; Research, Development, Test & Evaluation (RDT&E); platform interconnections; software applications; and processes). The ability to support changes to process or create new processes as the need arises. 45. The ability to track documents for staffing and signature. The ability to assign multiple organizations for staffing documents. The ability to approve, reject and sign a document. The C&A Tool shall provide the capability for electronic C&A approval. Ability for reviewers to flag specific portions of documents that led to rejection. The ability to store these documents. The ability to access and export documents. Ability to notify the system owner of the status of progress of the document through the staffing workflow and when rejected or signature assigned to document. The C&A Tool shall provide users with the ability to track the status of the work products assigned. 46. Ability to communicate mission owner acceptance of risk to the Designated Approval Authority (DAA). Ability to support multiple mission owners' risk acceptance for shared use information system. 47. Ability to track system configuration, interface, and system data entered in the tool's database changes. 48. Ability to establish an expandable organizational hierarchy. The C&A Tool shall support drill down capability for the viewing of C&A documents (typical directory structure). 49. Provide training support for all levels of users including program managers, portfolio managers, validators, and senior approval levels. Training should include on-line help, help desk, and documentation for both users and administrators, to include computer-based training (CBT). Provide updates to documentation, training, and CBTs as part of each software upgrade release or process change. The C&A Tool shall have tutorials for users to access online and via CBT. 50. Provide on-line help function. Provide help text on every entry to describe and explain expected answers. The C&A Tool shall provide embedded context-sensitive help. Provide updates to help function with each software upgrade release or process change. Vendor shall provide detailed C&A Tool documentation. 51. Ability to create, provide and modify templates and examples for artifacts required for C&A package completion. 52. Security: The C&A Tool shall allow for a repository of all information security requirements that can be selected based on customer requirements. The C&A Tool shall provide federal information security references. The C&A Tool shall provide a pre-determined list of references that may be edited and added to by the user. The C&A Tool shall contain a repository of information security requirements based upon best practices. The C&A Tool shall implement security requirements stated in NIST 800-53 and CNSS 1253 and support test procedures as outlined in NIST 800-53A and CNSS 1253A. The C&A Tool shall provide the capability to add, modify, and delete security requirements in the repository based upon assigned roles. The C&A Tool shall have the capability to identify security requirements as mandatory or recommended. The C&A Tool shall have the capability to determine what requirements are applicable based upon system or application criticality, sensitivity level of data, as well as integrity and availability requirements. The C&A Tool Security Requirements Reference shall present a baseline set of security requirements for a specific type of system or application. The C&A Tool shall provide the capability to include or exclude security requirements other than Automated Information System (AIS) security requirements such as physical, procedural, personnel, etc. for the specific system or application being certified and accredited. 53. Testing Documentation: The C&A Tool shall provide predefined security test procedures. The C&A Tool shall allow the entry of new security test procedures and test results. The C&A Tool shall provide suggested test activities for each certification level. The C&A Tool shall provide the capability to import test procedures and test results. The C&A Tool shall provide the capability to approve test plans and test procedures. The C&A Tool shall support analyses of test results. 54. The C&A Tool shall identify vulnerabilities of the system or application components and identify countermeasures. 55. The C&A Tool shall provide for an automatic generation of C&A documentation. The C&A Tool shall support the production of both on-line and hardcopy C&A documentation. 56. The Security Test and Evaluation (ST&E) process shall include the capability to document penetration testing by a third party. 57. The C&A Tool shall generate a risk assessment questionnaire based on the customer enterprise baseline security requirements, customer policy, and NIST guidance. The C&A Tool shall allow users to correlate policy, test plans, requirements, and risk in a consistent manner (e.g., map customer policy to produce a generated test plan or Security Requirements Traceability Matrix (SRTM) or map vulnerability information into a test plan). The C&A Tool shall compute a risk factor based on customer criteria. (Individual risk factors and weightings shall be customizable that are utilized to arrive at an overall risk factor.) 58. The C&A Tool shall support a capability to document system or application changes after certification and flag/identify re-certification. 59. The C&A Tool shall support full-text searching. It is desired that the full text capability also support the full text within the BLOBs, such as documents, stored in the data. The system shall provide a flexible search capability, including/providing: Fast searching using such technologies as indexing and crawling; return links to what's found; complex queries (variety of parameters/constraints, using Boolean expressions); results sorted in a variety of ways; refine searches; the system shall allow users to save searches for later use. 60. The C&A Tool shall be able to provide customer templates of Memorandum of Agreements (MOAs), Interconnection Security Agreements (ISAs) and Memorandum of Understandings (MOUs). 61. The C&A Tool shall support the development of NIACAP, DITSCAP, NIST 800-37, DCID 6/3C&A, CNSS 1253 C&A packages. The C&A Tool shall be able to develop System, Type, and Site C&A packages. 62. The C&A Tool shall support users performing quantitative risk assessments. 63. Customization: The C&A Tool shall permit customizable queries of the data. The C&A Tool shall allow the customer the capability to modify the questions and the weights assigned to each question in the certification questionnaire used to determine the certification level. The C&A Tool shall provide the capability to modify the weighting factor assigned to each security requirement in the data repository. The C&A Tool shall provide for customization of user visible structures and workflow processes. The C&A Tool shall allow customization of questions and users screens. The C&A Tool shall provide for the customization of C&A document templates. The C&A Tool shall allow for the development of custom reports. 64. Importing and Exporting Data: The C&A Tool shall allow import and export of data to pdf, html, xls, xlsx, ppt, pptx, doc, dosx, doc and xps files. The C&A Tool shall provide the capability to import inventory information from existing customer data repositories. 65. Vendor staff shall not be required to change forms or database structure. 66. Updates and Upgrades: Vendor shall provide an acceptable mechanism (e.g., ftp or CD) to obtain C&A Tool updates and enhancements within a closed environment. Vendor shall provide mechanisms for notifying customers when software upgrades and enhancements are available. Vendor shall issue updates to reflect changes to Federal C&A regulations within 90 days of enactment. The C&A Tool upgrades shall not affect customer tailored document templates. 67. How extensible is the proposed solution? The C&A Tool shall be scalable enough to allow for ODNI environment. 68. The C&A Tool tables, screens, forms, templates, and items of that nature shall be customizable by the customer, not just the vendor. Do web forms support server-side business logic? What programming languages can be used to add intelligence to web based forms? Can digital signature blocks be easily incorporated into form templates? Can forms be pre-filled with data already stored in internal systems to minimize the number of fields a user must complete? Are forms able to connect to external data sources and dynamically incorporate data while being completed by the end user? 69. The C&A Tool shall provide a mechanism for cross-referencing to the IT system inventory in the Trusted Agent FISMA Tool. 70. The C&A Tool shall include capabilities to control and monitor the flow of documentation. The document repository shall facilitate standard naming conventions and version control within the repository. The C&A Tool shall provide for document/data recovery. The C&A Tool shall maintain draft versions of documentation until the system or application in question is accredited; then the C&A Tool shall have the capability to delete older draft versions. 71. The C&A Tool shall automatically perform version control and configuration management for documents created as part of a user's work products, including tracking indicating who made specific changes to a document. 72. Users will be restricted to one active logon session. The C&A Tool shall provide concurrency controls to prevent two people from working on the same document section at the same time (e.g. read-only access to a document currently being revised by someone else, read/write access to the customer authorized to make document edits). 73. The system shall provide the capability to archive information objects. The C&A Tool shall support archiving of older versions of C&A documents. The C&A Tool shall provide the capability to retrieve draft documents for review. The C&A Tool shall provide the capability for sections and/or entire documents to be accessible to other staff for completion or review. 74. The C&A Tool shall provide the capability for program managers or appropriate Certification Review Group personnel to review the completed C&A documents and approve for certification. The C&A Tool shall provide the capability to assign Program Managers, System or Application Owners, Analysts, ISSOs, and other security related personnel to project. The C&A Tool shall provide the capability to specify the amount of time allowed for completion of designated tasks (assignments, response to routed documents, etc.). The C&A Tool shall provide the capability to assign document sections to individual team members to complete. The C&A Tool shall store data to allow authenticated users the ability to input, track, and modify information on the certification and accreditation status of multiple projects simultaneously. 75. The C&A Tool shall provide the capability to view and track the C&A schedule in various calendar views (quarterly, monthly, weekly) allowing the user to set calendar properties. (Similar to MS Outlook schedules) The system shall provide an audit trail that captures: path an information object has traveled; tasks performed against the information object; person who performed each task; list of edits and annotations created for the information object; date and time each action was completed. The system shall record/store workflow routing actions, delegation, and/or sub assigning activity (what), date/time stamp information (when), and activity performer information (who). 76. The C&A Tool shall enforce referential integrity of the data repository. The C&A Tool shall not limit the size of the data repository. The C&A Tool shall provide the capability to enter and maintain data for completing all C&A documentation and appendices. The data repository shall be ODBC or JDBC compliant. 77. The C&A Tool shall maintain data for login/authentication. No data shall be accessible to end users from the data repository except via the C&A tool. The C&A Tool shall allow the user to login to the C&A Tool and authenticate once and then grant access to the functionality based on the roles assigned to the user. Once the user logs into the C&A Tool, the C&A Tool shall set his/her roles which shall remain for that logon session. Users shall be automatically locked out of the C&A Tool and have to re-authenticate after no more than 20 minutes of inactivity. The C&A Tool shall use HTTPS for transmission of sensitive data between clients and servers. The C&A Tool shall not require the use of mobile code. The C&A Tool shall have the capability to control access to documentation and appendices at the section level. The C&A Tool shall provide the capability to assign access rights for sections of the project at the activity and document section level. 78. The system shall allow users to print copies of all information objects to include tasks, staff actions, search results, templates, reports, and related metadata on network and local printers. 79. The C&A Tool shall not be constrained from being available on a 24/7 basis. The C&A Tool shall provide for the inherent ability for fault tolerant server processing. 80. The system shall comply with the Workforce Investment Act of 1998, Section 508, Electronic and Information Technology by following the relevant guidance established in section 1194.22 of the Electronic and Information Technology Accessibility Standards Document. 81. As discussed earlier, the preferred login in method is integration with the Air Force portal where credentials can be passed to the application. CAC assess is also required for those people who cannot interface through the portal. If neither of these capabilities is not provided then discuss how passwords are implemented and compare to the password requirements in the AFSSI 8520. If this is not available, then password protection should be provided. This protection should meet the following requirements: 82. What mechanisms does the proposed solution provide to simplify the process of completing complex forms? Are users able to save a copy of a filled-in form to their local file system? Can data entered into forms be automatically extracted without requiring manual processing? Can end users easily attach supporting documents to forms so that all relevant information may be submitted as a single package? Does a mechanism exist to force the user to use the current version of the form even if a user has an older version of a form stored on their hard drive? Can watermarks be auto-generated on each page of the document; "Classified / Non-Classified" for example? 83. The application should be XML compatible, capable of importing and exporting data in XML format. Describe what protocols are support for submitting form data (HTTP, HTTPS, SOAP, email). 84. Content should be rendered to a variety of optional formats, such as PDF, PCL, and PostScript in addition to the XML mentioned previously. 85. The system shall have the ability to interface with MS Exchange/Outlook when alerts are sent out. The system shall use the existing Air Force Directory Services (e.g., Microsoft Exchange, Active Directory, Global Address List (GAL)) to obtain address information. 86. With regard to information objects stored in their native format, the "native" application associated with an information object shall be automatically launched from within the system when the user opens the object for viewing or editing. The system should permit users to view a representation of a document for which the user does not have the native application. Appendix B - Guiding Authorities for Air Force Certification & Accreditation (C&A) DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), 28 Nov 07 AFPD 33-2, Information Assurance (IA) Program, 19 Apr 07 AFI 33-210, Air Force Certification & Accreditation (C&A) Program (AFCAP), 23 Dec 08 Draft IT Lean Re-engineering Guidebook, Version 6.0, 25 Oct 08 Appendix C - Certification & Accreditation (C&A) Acronyms & Definitions Acronyms AF - Air Force AFCA - Air Force Communications Agency AFCAP - Air Force Certification & Accreditation Program AFI - Air Force Instruction AFPD - Air Force Policy Document AIS - Automated Information Systems C&A - Certification and Accreditation CBT - Computer-based Training CL - Criticality Level COTS - Commercial-off-the-shelf CTNPP - Classified Trusted Network Protect Policy DAA - Designated Accrediting/Approval Authority DIACAP - DoD Information Assurance Certification and Accreditation Process DIP - DIACAP Implementation Plan DITPR - DoD Information Technology Portfolio Repository DNI - Director of National Intelligence DoD - Department of Defense EITDR - Enterprise Information Technology Data Repository eMASS - Enterprise Mission Assurance Support Service FISMA - Federal Information Security Act of 2002 GIG - Global Information Grid GOTS -Government-off-the-shelf GUI - Graphical User Interface IA - Information Assurance IT - Information Technology KS - Knowledge Service MAC - Mission Assurance Code NIST - National Institute of Standards and Technology NSA - National Security Agency PC - Personal Computer PKI - Public Key Infrastructure POA&M - Plan of Action and Milestones POC - Point of Contact RDT&E - Research, Development, Test & Evaluation RFI - Request for Information RFP - Request for Proposal SIP - System Identification Profile UTNPP - Unclassified Trusted Network Protect Policy Definitions Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD Information System (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. Artifacts. System policies, documentation, plans, test procedures, test results, and other evidence that express or enforce the information assurance (IA) posture of the DoD IS, make up the certification and accreditation (C&A) information, and provide evidence of compliance with the assigned IA controls. Assigned IA Controls. The set of IA controls that a given DoD IS must address to achieve an adequate IA posture. Consist of baseline IA controls plus any augmenting IA controls. Denial of Authorization to Connect-AF-GIG DAA determination that an IS cannot connect to the AF-GIG because of an inadequate IA design, failure to adequately implement assigned IA Controls, or other lack of adequate security If the IS is already connected, the connection of the IS is terminated. DIACAP Implementation Plan (DIP). Contains the IS's assigned IA controls. The plan also includes the implementation status, responsible entities, resources, and the estimated completion date for each assigned IA control. The plan may reference applicable supporting implementation material and artifacts. DIACAP Knowledge Service (KS). A Web-based repository of information and tools for implementing the DIACAP that is maintained through the DIACAP Technical Advisory Group (TAG). DIACAP Package. The collection of documents or collection of data objects generated through DIACAP implementation for an IS. A DIACAP package is developed through implementing the activities of the DIACAP and maintained throughout a system's life cycle. Information from the package is made available as needed to support an accreditation or other decision such as a connection approval. There are two types of DIACAP packages: The Comprehensive Package contains all of the information connected with the certification of the IS. It includes the System Identification Profile (SIP), the DIACAP Implementation Plan (DIP), the Supporting Certification Documentation, the DIACAP Scorecard, and the IT Security POA&M, if required. The Executive Package contains the minimum information for an accreditation decision. It contains the SIP, the DIACAP Scorecard, and the IT Security POA&M, if required. DIACAP Scorecard. A summary report that succinctly conveys information on the IA posture of a DoD IS in a format that can be exchanged electronically. It shows the implementation status of a DoD IS's assigned IA controls (i.e., compliant (C), non compliant (NC), or not applicable (NA)) as well as the C&A status. DoD Information Assurance Certification and Accreditation Process (DIACAP). The DoD process for identifying, implementing, validating, certifying, and managing IA capabilities and services, expressed as IA controls, and authorizing the operation of DoD ISs, including testing in a live environment, in accordance with statutory, Federal, and DoD requirements. DoD Information Technology Portfolio Repository Enterprise IT Data Repository (EITDR). The Air Force database of record for registering all systems and applications as required by public law and DoD directives. Registration in the EITDR is mandatory for all systems and applications developed by the Air Force, or for which the Air Force is the lead agency, or that requires connection to the AF-GIG. The EITDR is also the database of record for IT statutory and regulatory compliance. The repository contains compliance data for Information Assurance (IA), Internet Protocol version 6 (IPv6), Public Key Enabling (PKE), Clinger-Cohen Act, etc. It is the primary data source for Federal Information Security Management Act (FISMA) reporting and the principal vehicle for gathering and storing system and application data to support planned and ad hoc data calls. The EITDR contains information about program management; system and application interfaces; networthiness; funding; Capital Investment Reports (CIRs) and other supporting data to facilitate IT portfolio management. Interim Authorization to Operate (IATO). A temporary authorization to operate a DoD IS under the conditions or constraints enumerated in the accreditation decision. Interim Authorization to Test (IATT). A temporary authorization to test a DoD IS in a specified operational information environment or with live data for a specified time period within the timeframe and under the conditions or constraints enumerated in the accreditation decision. IT Security Plan of Action and Milestones (POA&M). A permanent record that identifies tasks to be accomplished in order to resolve security weaknesses. Required for any accreditation decision that requires corrective actions, it specifies resources required to accomplish the tasks enumerated in the plan and milestones for completing the tasks. Also used to document DAA-accepted non-compliant IA controls and baseline IA controls that are not applicable. An IT Security POA&M may be active or inactive throughout a system's life cycle as weaknesses are newly identified or closed. Mission Assurance Category (MAC). Applicable to DoD information systems, the mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. Mission assurance categories are primarily used to determine the requirements for availability and integrity. The Department of Defense has three defined mission assurance categories: Mission Assurance Category I (MAC I). Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most stringent protection measures. Mission Assurance Category II (MAC II). Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best practices to ensure adequate assurance. Mission Assurance Category III (MAC III). Systems handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. MAC III systems require protective measures, techniques or procedures generally commensurate with commercial best practices. Validation. Activity applied throughout the system's life cycle to confirm or establish by testing, evaluation, examination, investigation, or competent evidence that a DoD IS's assigned IA controls are implemented correctly and are effective in their application. Vdation procedure.
Web Link: FBO.gov Permalink
(https://www.fbo.gov/spg/USAF/AMC/HQAMCC/EVSC1000/listing.html)
Place of Performance: Address: AFNICEV, 203 W Lossey St, Scott AFB IL 62225, Scott afb, Illinois, 62225, United States; Zip Code: 62225
Record: SN01965395-W 20090924/090923001424-4d17a181a976e1d7c828179c59339fac (fbodaily.com)
Source: FedBizOpps Link to This Notice
(may not be valid after Archive Date)

| FSG Index | This Issue's Index | Today's FBO Daily Index Page |

Loren Data's SAM Daily™

D -- IA Certification & Accredatation Process