Past Bid Detail | BidFortune

Past Bid Detail Page

Hi,

Federal Bid

Last Updated on 20 Oct 2010 at 8 AM

Combined Synopsis/Solicitation

Washington District of columbia

Certification and Accreditation of USADF Information Systems

Solicitation ID ADF-10-Q-400

Source Signup to get source link

Posted Date 28 Sep 2010 at 7 PM

Archive Date 20 Oct 2010 at 5 AM

NAICS Category

Product Service Code

Set Aside Total Small Business (SBA) Set-Aside (FAR 19.5)

Contracting Office African Development Foundation, Washington, Dc

Agency African Development Foundation

Location Washington District of columbia United states

None

Senior Contracting Officer

[email protected]

Phone

2022338800

Statement of Work

1. Are the two systems currently approved to operate or is this initial certification and accreditation for them?

ANSWER: Currently Approved

2. If they are currently approved to operate, what is the expiration date(s) of the current approvals?

ANSWER: November, 2010

3. Have the SSPs for the systems been developed and approved or is the contractor expected to develop them?

ANSWER: The System Security Plan (SSP) is expected to be developed by the contractor and will be compliant with NIST SP 800-18.

4. Are business continuity/disaster recovery plans in place for the two systems?

ANSWER: NO

5. Is this a new requirement or a follow-on contract?

ANSWER: New Requirement

6. If this contract is covered by the Service Contract Act (SCA) please indicate which specific job code on the Wage Determination (WD) that is most closely related to the services required?

ANSWER: Not Applicable

7. Where is the place(s) of performance - CONUS or OCONUS? If OCONUS, would you care to share what country or countries?

ANSWER: Washington, DC (CONUS)

8. If travel will be involved, will it be a separate CLIN or rolled up into Incidental Cost?

ANSWER: Not Applicable

9. Has ADF decision makers prepared or briefed the impacted employees and business area stakeholders (e.g., I.T. & Security staff) of the benefits of the C&A and potential time line when it shall be executed?

ANSWER: YES

10. Will the government provide a dedicated federal staff who will facilitate and coordinate the extensive interviews that need to occur in order to meet the deliverables/time lines stated in the SOW?

ANSWER: YES

11. Does the government anticipate any internal road-blocks, or red-tapes, or political food-chains that may need to be managed/mitigated in advance of our team arriving?

ANSWER: NO

12. Have the WAN and PSS been certified and accredited, if yes, when?

ANSWER: YES; November, 2007

13. Is there an incumbent that has been performing the Risk Assessments and ST&E's for ADF, if yes, who? Is the incumbent eligible to bid on this effort?

ANSWER: Not Applicable

14. When was the last time a Contingency Plan test was conducted on either the WAN or PSS?

ANSWER: Not Applicable

15. Where are the production systems located for both the WAN and PSS? Are they at the ADF headquarters or at a remote data center?

ANSWER: Washington, DC

16. What are your resume requirements for proposed key personnel?

ANSWER: Qualified to do work

17. Can you provide a network topology of the USADF WAN?

ANSWER: NO

18. Can you provide a specific inventory (manufacture and quantities) USADF WAN devices?

ANSWER: NO

19. Can you provide a network topology of the USADF PSS?

ANSWER: The network topology consists of 10+) Dell Servers, (4-6) CISCO Routers/Switches, Tipping Point 50, PBX phone system

20. Can you provide a specific inventory (manufacture and quantities) USADF PSS devices?

ANSWER: See Question 19

21. Are these in scope:
Application (ADF Web code analysis)

ANSWER: NO

WAN (MPLS/ATM/Frame Relay: core-to-core/end-to-core)?
ANSWER YES - MPLS (but since we are disconnecting overseas sites we are technically just a LAN)

Telecomm (VoIP, Modem, PBX)
ANSWER: NO

Virtual (VMWare, VDI)
ANSWER: NO

Wireless (Wi-Fi, WiMAX)
ANSWER: NO

Social Engineering (on-site entry for DC, phone based
info/password extraction)

ANSWER: NO

22. How many nodes/IPs are in scope:
Internal

ANSWER: Less than 200 including Workstations
External

ANSWER: Less than 10

23. Is Password Cracking in scope?

ANSWER: No

Risk Assessment

24. Has the ADF carried out detailed Risk Assessments before, or is this the first one?

ANSWER: YES

25. Has the ADF carried out a full scope Information Security & Vulnerability Assessment (a.k.a. C&A) before?

ANSWER: YES

26. Does the ADF have an existing and detailed Information Security Policy & Program in place or will the final report from this C&A effort be used as a baseline to develop one?

ANSWER: The report from the C&A Effort will be used to develop Security Policy

27. Where does the CSO (or CISO) reside in the ADF Org Chart, relative to I.T. department vs Senior/Executive Management team?

ANSWER: Not Applicable

28. There is a reference to the Nuclear Regulatory Commission Risk Assessment Report template. Is this template available for review and analysis to help gage the level of effort?

ANSWER: Not Applicable

29. Does the African Development Foundation use any specific tool for Certification and Accreditation (C&A) for an example, Cyber Assessment and Management (CSAM) Certification and Accreditation Web Tool (currently licensed under Department of Justice to different agencies). Or any other tool for C&A activities?

ANSWER: NO

30. As per FISMA guidelines, does The African Development Foundation periodically perform Vulnerabilities Assessment and Penetration of the Networks by its IT department or Third party vendor? If not, do you anticipate that contractor hired for this project would do such Vulnerabilities Assessments and Penetration Test for systems and Networks in scope?

ANSWER: YES

31. When was the last vulnerability scan performed on the WAN and PSS and what type of scans were performed (i.e. network, application, etc.)?

ANSWER: December, 2009

32. Will the government provide the automated testing tools to the contractor as GFE?

ANSWER: No Government Furnished Equipment will be provided

33. Does ADF have a complete and up-to-date System Security Plan, Contingency Plan, Privacy Threshold Analysis and, if required, a Privacy Impact Analysis?

ANSWER: NO

34. What was the last FIPS 199 rating for both systems?

ANSWER: LOW

35. Are there existing system POA&Ms?

ANSWER: YES

36. Does ADF operate a test system for the WAN and PSS?

ANSWER: YES

37. What Specific applications are operating on the WAN?

ANSWER: Grants Management Database Application

38. What is the function of the"ADF Web Software Application" that operates on the PSS?

ANSWER: The ADF Web Software application is the consolidation of the Grants Management Database Application system and ProReq

39. Does ADF perform Continuous Monitoring on the WAN and PSS?

ANSWER: YES

40. Does the WAN support Voice Over Internet Protocol (VOIP)?

ANSWER: YES

41. What type of Authentication technology is used with both the WAN and PSS?

ANSWER: Kerberos and NTLMv2

42. Is the encryption technology you employ FIPS 140-2 compliant?

ANSWER: Encryption isn't implemented inside the LAN, scans will not cross outside of USADF logical borders

43. Is Personally Identifiable Information (PII) processed by either the PSS or WAN?

ANSWER: YES

44. What version of the Windows Operating System are you using?

ANSWER: Windows XP, Windows 7, Server 2003, Server 2008, Server 2008-R2

45. Are your workstations Federal Desktop Core Configuration (FDCC) compliant?

ANSWER: YES

46. Does the ADF Web Software Application use mobile code?

ANSWER: Not Applicable

Security Testing and Evaluation

47. In the ST&E task, the solicitation references NIST SP 800-53A dated July 2008 instead of NIST SP 800-53A, Rev 1 dated July 2010, was this intentional?

ANSWER: NO

48. Referenced is NIST 800-53A (July 2008). Should this be NIST 800-53A (July 2010)?

ANSWER: YES

49. Is the contractor required to develop an ST&E Plan and a SAR?

ANSWER: YES

50. As part of this effort, what documentation will be available to the contractor from the last accreditation/certification on both of these systems?

ANSWER: YES

51. What is the page limit on the solicitation response?

ANSWER: See structure format guidelines in RFF

Summary of Deliverables

52. The Time frames section of the solicitation indicates a Contract Award Date of 10/8/2010 and beginning work on 10/13/2010. The Summary of Deliverables requires a General Work Plan and Schedule 2 weeks after contract award (10/27/2010). Using this timeline the awarded contractor would have less than 1 week to provide draft reports to both tasks for the two systems. Is this schedule for performing both the Risk Assessment and the ST&E tasks? The timeline for the draft reports seems overly aggressive and unrealistic. Will changes to these dates be considered? Is the Nov 30, 2010 driven by an expiring ATO?

ANSWER: Submit best estimated timeframe in proposal

53. In response to the bidder's question that is due on the 15th, could you please let me know if you want your correspondence via e-mail or official mail?

ANSWER: Email

54. Are all the dates below still accurate?

9/15/10 Bidders Questions Due
9/21/10 ADF posted answers
9/27/10 Final Bids Due
10/1/10 Evaluations completed
10/8/10 Contract Awarded
10/13/10 Contract Work Begins

ANSWER: New Schedule

            09/15/10 Bidders Questions Due
           09/28/10 ADF posted answers
          10/05/10 Final Bids Due
          10/08/10 Evaluations completed
           10/15/10 Contract Awarded
          10/20/10 Contract Work Begins