Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JANUARY 10, 2013 FBO #4065
SOURCES SOUGHT

70 -- Database Vulnerability and Compliance Assessment Tool - NIST SP800-53 Guidance Controls

Notice Date
1/8/2013
 
Notice Type
Sources Sought
 
NAICS
423430 — Computer and Computer Peripheral Equipment and Software Merchant Wholesalers
 
Contracting Office
Department of State, Office of Acquisitions, Acquisition Management, 1701 N. Ft. Myer Drive, Arlington, Virginia, 22209, United States
 
ZIP Code
22209
 
Solicitation Number
SAQMMA13SS7780
 
Archive Date
1/16/2013
 
Point of Contact
Anil N. Nayak, Phone: 703-875-6843, Vincent J Sanchez, Phone: 703-875-6629
 
E-Mail Address
nayakan@state.gov, SanchezVJ@state.gov
(nayakan@state.gov, SanchezVJ@state.gov)
 
Small Business Set-Aside
N/A
 
Description
Significant Government Guidelines. This sources sought notice is intended for market research purposes only. This is NOT a Request for Proposal (RFP), or any type of solicitation for competition, and this sources sought notice does not commit the Government to solicit or award anything now or in the future. There is not a finalized definitive requirement available at this time, this is only a potential upcoming requirement, and industry sources are being sought to respond to this notice with the information requested below. The purpose of this notice is to conduct market research to identify qualified and interested sources that could provide the services and/or supplies as stated. The U.S. Department of State is in search of potential sources for a Database Vulnerability and Compliance Assessment Tool. The objectives/scope: - Produce a robust inventory of DOS managed databases through database discovery scans and coordinate with IRM/IA to leverage iPost to influence user cooperation. - Assess the security posture of DOS managed databases, identify vulnerabilities, and enable system owners to mitigate risk. - Manage the configuration of DOS databases and ensure compliance with DOS configuration standards. - Provide vulnerability reports to document and analyze implemented controls. - Provide the option to integrate database scanning into our enterprise management console (iPost) to emphasize enterprise database compliance with DOS standards. - Implement a database vulnerability and compliance scanning solution that will meet all stakeholder needs and avoid duplication of effort throughout the enterprise. Minimum Technical Requirements: High-Priority Capabilities (The criteria in this section we consider critical to our environment) - Ability to perform discovery scans across the Wide Area Network (WAN). - Ability to perform scans across the WAN. - Ability to schedule scans to run periodically (Weekly, Monthly, Semi-Annually, Annually) and to use that scan template to quickly setup and execute ad-hoc scans. - Cover all of the database types which are likely to reside in the enterprise (Microsoft SQL, Oracle, MySQL, DB2, etc.) - Provide a single dashboard, per network, to compile all scan information and results in a centralized location. - Basic import of US Government standards for compliance checks: NIST, DISA STIG, etc. - Permissions must be granular enough to allow CA/Consular Systems and Technology (CST) personnel to perform, manage, and gather results without E&V assistance. - The ability to prepare customized reporting and the ability to export aggregate data for inclusion into iPost. - The ability to correlate, analyze, and trend the data collected to aid in creating effective remediation strategies. - Due to the size and scope of our enterprise we require the ability to create and edit checks for custom checks. - Detailed vulnerability remediation steps are required to help administrators remediate any findings. - Built-in credential management is important for keeping customer credentials secure and organized. Medium-Priority Capabilities (We consider medium-priority items features that are highly-desired and will increase usability and efficiency of the product.) - Perform scans in a reasonable timeframe. - On-site product training from technical experts to ensure best practice installation and operation of the product. - Weak/Blank Password detection and reporting. - Update all components of the system from one central location to ensure consistency among all components. - DOS still has some instances of Lotus Dominos in production. The ability to cover these aging assets without creating custom content would be helpful. Low-Priority Capabilities (We consider low-priority items to be non-essential features that would improve the experience, but are not essential to operation or management of the product.) - Product Experience in 100K+ node enterprise environment - Vendor experience in supporting large US Government customers - Supported by multiple certified manufacturer resellers. - Provide the delta between scans to quickly find what has been remediated from scan to scan. *The requirements for database vulnerability and compliance scanning primarily come from NIST guidelines. Attached are some of the significant, applicable sections of the NIST SP800-53. A full listing of the guidelines can be found at http://csrc.nist.gov/publications/PubsSPs.html.* If your firm is interested in providing information to the U.S. Department of State, we request that your firm respond to this notice with the following information: 1. Company name, address, points of contact including phone numbers and e-mail addresses, manufacturing sites and locations; 2. Company Cage Code and DUNS Number, Business size (large or small business, and if small indicate what types of small business concern (e.g. EDWOSB, Hubzone, 8(a), woman-owned, etc); 3. Past Performance references along with brief descriptions of previous projects, if applicable; 4. Any certifications, special licensing or industry recognized awards or credentials your firm may hold for this particular type of requirement; 5. Include detailed information, including salient specifications, of your solution or Database Vulnerability and Compliance Assessment Tool; information provided should also address minimum technical requirements (both high and medium priority capabilities—solutions addressing low priority capabilities are strongly encouraged) stated above. 6. Include warranty information and service life, if applicable. All of the items above should be addressed in your firm’s response to this notice and any questions can be made to the points of contact listed on this notice. Please address each of the items above to the best of your firm’s ability, given time and resources, within a 30 page limit. There will be NO compensation for responses to this sources sought notice. All participation is purely voluntary and shall incur no costs to the Government. All submissions should be sent in via email to SanchezVJ@state.gov and NayakAN@state.gov by the notice response date referenced on this sources sought notice.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/SAQMMA13SS7780/listing.html)
 
Record
SN02961385-W 20130110/130108234603-7d6d9718290545e5280d3cbdb4dad73e (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.