Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF SEPTEMBER 30, 2010 FBO #3232
MODIFICATION

R -- Certification and Accreditation of USADF Information Systems

Notice Date
9/28/2010
 
Notice Type
Modification/Amendment
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
African Development Foundation, Contracts Office, African Development Foundation, Washington, DC, 1400 Eye Street, N.W., Suite 1000, 10th Floor, Washington, District of Columbia, 20005
 
ZIP Code
20005
 
Solicitation Number
ADF-10-Q-400
 
Archive Date
10/20/2010
 
Point of Contact
Contracting Officer, Phone: 202-233-8800
 
E-Mail Address
adfcontractbids@usadf.gov
(adfcontractbids@usadf.gov)
 
Small Business Set-Aside
Total Small Business
 
Description
Statement of Work 1. Are the two systems currently approved to operate or is this initial certification and accreditation for them? ANSWER: Currently Approved 2. If they are currently approved to operate, what is the expiration date(s) of the current approvals? ANSWER: November, 2010 3. Have the SSPs for the systems been developed and approved or is the contractor expected to develop them? ANSWER: The System Security Plan (SSP) is expected to be developed by the contractor and will be compliant with NIST SP 800-18. 4. Are business continuity/disaster recovery plans in place for the two systems? ANSWER: NO 5. Is this a new requirement or a follow-on contract? ANSWER: New Requirement 6. If this contract is covered by the Service Contract Act (SCA) please indicate which specific job code on the Wage Determination (WD) that is most closely related to the services required? ANSWER: Not Applicable 7. Where is the place(s) of performance - CONUS or OCONUS? If OCONUS, would you care to share what country or countries? ANSWER: Washington, DC (CONUS) 8. If travel will be involved, will it be a separate CLIN or rolled up into Incidental Cost? ANSWER: Not Applicable 9. Has ADF decision makers prepared or briefed the impacted employees and business area stakeholders (e.g., I.T. & Security staff) of the benefits of the C&A and potential time line when it shall be executed? ANSWER: YES 10. Will the government provide a dedicated federal staff who will facilitate and coordinate the extensive interviews that need to occur in order to meet the deliverables/time lines stated in the SOW? ANSWER: YES 11. Does the government anticipate any internal road-blocks, or red-tapes, or political food-chains that may need to be managed/mitigated in advance of our team arriving? ANSWER: NO 12. Have the WAN and PSS been certified and accredited, if yes, when? ANSWER: YES; November, 2007 13. Is there an incumbent that has been performing the Risk Assessments and ST&E's for ADF, if yes, who? Is the incumbent eligible to bid on this effort? ANSWER: Not Applicable 14. When was the last time a Contingency Plan test was conducted on either the WAN or PSS? ANSWER: Not Applicable 15. Where are the production systems located for both the WAN and PSS? Are they at the ADF headquarters or at a remote data center? ANSWER: Washington, DC 16. What are your resume requirements for proposed key personnel? ANSWER: Qualified to do work 17. Can you provide a network topology of the USADF WAN? ANSWER: NO 18. Can you provide a specific inventory (manufacture and quantities) USADF WAN devices? ANSWER: NO 19. Can you provide a network topology of the USADF PSS? ANSWER: The network topology consists of 10+) Dell Servers, (4-6) CISCO Routers/Switches, Tipping Point 50, PBX phone system 20. Can you provide a specific inventory (manufacture and quantities) USADF PSS devices? ANSWER: See Question 19 21. Are these in scope: Application (ADF Web code analysis) ANSWER: NO WAN (MPLS/ATM/Frame Relay: core-to-core/end-to-core)? ANSWER YES - MPLS (but since we are disconnecting overseas sites we are technically just a LAN) Telecomm (VoIP, Modem, PBX) ANSWER: NO Virtual (VMWare, VDI) ANSWER: NO Wireless (Wi-Fi, WiMAX) ANSWER: NO Social Engineering (on-site entry for DC, phone based info/password extraction) ANSWER: NO 22. How many nodes/IPs are in scope: Internal ANSWER: Less than 200 including Workstations External ANSWER: Less than 10 23. Is Password Cracking in scope? ANSWER: No Risk Assessment 24. Has the ADF carried out detailed Risk Assessments before, or is this the first one? ANSWER: YES 25. Has the ADF carried out a full scope Information Security & Vulnerability Assessment (a.k.a. C&A) before? ANSWER: YES 26. Does the ADF have an existing and detailed Information Security Policy & Program in place or will the final report from this C&A effort be used as a baseline to develop one? ANSWER: The report from the C&A Effort will be used to develop Security Policy 27. Where does the CSO (or CISO) reside in the ADF Org Chart, relative to I.T. department vs Senior/Executive Management team? ANSWER: Not Applicable 28. There is a reference to the Nuclear Regulatory Commission Risk Assessment Report template. Is this template available for review and analysis to help gage the level of effort? ANSWER: Not Applicable 29. Does the African Development Foundation use any specific tool for Certification and Accreditation (C&A) for an example, Cyber Assessment and Management (CSAM) Certification and Accreditation Web Tool (currently licensed under Department of Justice to different agencies). Or any other tool for C&A activities? ANSWER: NO 30. As per FISMA guidelines, does The African Development Foundation periodically perform Vulnerabilities Assessment and Penetration of the Networks by its IT department or Third party vendor? If not, do you anticipate that contractor hired for this project would do such Vulnerabilities Assessments and Penetration Test for systems and Networks in scope? ANSWER: YES 31. When was the last vulnerability scan performed on the WAN and PSS and what type of scans were performed (i.e. network, application, etc.)? ANSWER: December, 2009 32. Will the government provide the automated testing tools to the contractor as GFE? ANSWER: No Government Furnished Equipment will be provided 33. Does ADF have a complete and up-to-date System Security Plan, Contingency Plan, Privacy Threshold Analysis and, if required, a Privacy Impact Analysis? ANSWER: NO 34. What was the last FIPS 199 rating for both systems? ANSWER: LOW 35. Are there existing system POA&Ms? ANSWER: YES 36. Does ADF operate a test system for the WAN and PSS? ANSWER: YES 37. What Specific applications are operating on the WAN? ANSWER: Grants Management Database Application 38. What is the function of the"ADF Web Software Application" that operates on the PSS? ANSWER: The ADF Web Software application is the consolidation of the Grants Management Database Application system and ProReq 39. Does ADF perform Continuous Monitoring on the WAN and PSS? ANSWER: YES 40. Does the WAN support Voice Over Internet Protocol (VOIP)? ANSWER: YES 41. What type of Authentication technology is used with both the WAN and PSS? ANSWER: Kerberos and NTLMv2 42. Is the encryption technology you employ FIPS 140-2 compliant? ANSWER: Encryption isn't implemented inside the LAN, scans will not cross outside of USADF logical borders 43. Is Personally Identifiable Information (PII) processed by either the PSS or WAN? ANSWER: YES 44. What version of the Windows Operating System are you using? ANSWER: Windows XP, Windows 7, Server 2003, Server 2008, Server 2008-R2 45. Are your workstations Federal Desktop Core Configuration (FDCC) compliant? ANSWER: YES 46. Does the ADF Web Software Application use mobile code? ANSWER: Not Applicable Security Testing and Evaluation 47. In the ST&E task, the solicitation references NIST SP 800-53A dated July 2008 instead of NIST SP 800-53A, Rev 1 dated July 2010, was this intentional? ANSWER: NO 48. Referenced is NIST 800-53A (July 2008). Should this be NIST 800-53A (July 2010)? ANSWER: YES 49. Is the contractor required to develop an ST&E Plan and a SAR? ANSWER: YES 50. As part of this effort, what documentation will be available to the contractor from the last accreditation/certification on both of these systems? ANSWER: YES 51. What is the page limit on the solicitation response? ANSWER: See structure format guidelines in RFF Summary of Deliverables 52. The Time frames section of the solicitation indicates a Contract Award Date of 10/8/2010 and beginning work on 10/13/2010. The Summary of Deliverables requires a General Work Plan and Schedule 2 weeks after contract award (10/27/2010). Using this timeline the awarded contractor would have less than 1 week to provide draft reports to both tasks for the two systems. Is this schedule for performing both the Risk Assessment and the ST&E tasks? The timeline for the draft reports seems overly aggressive and unrealistic. Will changes to these dates be considered? Is the Nov 30, 2010 driven by an expiring ATO? ANSWER: Submit best estimated timeframe in proposal 53. In response to the bidder's question that is due on the 15th, could you please let me know if you want your correspondence via e-mail or official mail? ANSWER: Email 54. Are all the dates below still accurate? 9/15/10 Bidders Questions Due 9/21/10 ADF posted answers 9/27/10 Final Bids Due 10/1/10 Evaluations completed 10/8/10 Contract Awarded 10/13/10 Contract Work Begins ANSWER: New Schedule 0 9/15/10 Bidders Questions Due 09/28/10 ADF posted answers 10/05/10 Final Bids Due 10/08/10 Evaluations completed 10/15/10 Contract Awarded 10/20/10 Contract Work Begins
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/ADF/ADFADF1/ADFADFL/ADF-10-Q-400/listing.html)
 
Place of Performance
Address: Washington, DC, Washington, District of Columbia, 20005, United States
Zip Code: 20005
 
Record
SN02299402-W 20100930/100928234922-b0b244b220b37bd05b4f344f2d9aad01 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.