REQUEST FOR INFORMATION

Transcription

1 Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services RFI Response Joel Atkinson Associate Category Manager Florida Department of Management Services Division of State Purchasing 4050 Esplanade Way Suite 360 Tallahassee, Florida Ph: Fax: September 1, 2015 TestPros, Inc Lake Center Plaza, #306 Sterling, VA Phone Fax This response includes data that shall not be disclosed outside the Government and shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate this RFI response. This restriction does not limit the Government's right to use information contained in this data if it is obtained from another source without restriction. This restriction applies to all pages of this response.

2 INTRODUCTION: The Department of Management Services Division of State Purchasing (Department) is issuing this Request for Information (RFI) to the General Services Administration (GSA) Schedule 70 vendor community to obtain information about vendors that are able to perform cyber-security assessment and remediation, as well as identity protection, monitoring and restoration services under this schedule. COMPANY INFORMATION: TestPros, Inc. Business size Small Business Top Secret facility clearance DUNS: Primary NAICS: CAGE Code: 3CMW0 Tax ID: GSA Schedule #GS-35F-0395U TestPros, Inc Lake Center Plaza, Suite #306 Sterling VA (Phone) Technical POC: Kevin Murray, , Administrative POC: Christina Wolfe, , TestPros is a small business with a 27-year track record of helping Government and Commercial customers maximize the value of their IT investments while ensuring their systems are usable, reliable, safe, and secure. We provide enterprise-wide program management, Operational Test and Evaluation (OT&E) services, Independent Verification and Validation (IV&V), Oversight, Quality Assurance (QA), software development, compliance (508, Security, Privacy, etc.), and cyber security (FISMA, DIACAP, FedRAMP Cloud Security, A&A, C&A) for our customers on a global basis. TestPros staff maintain a variety of professional certifications in cyber security, including CISSP and CCSK. TestPros has Extensive Prime Contracting Experience: TestPros is a successful prime contractor on the DHS EAGLE II FC3 (Test & Evaluation) contract, GSA ALLIANT GWAC, FAA efast MOA, FBI QA/IV&V IDIQ, and GSA Schedule IT 70. Florida benefits with low risk solutions delivered by a TestPros Program Management Office (PMO) whose people, processes and technologies have been optimized over our 27+ years of primarily performance based contracting. 1

3 RFI RESPONSE: TestPros has the experience, capabilities, tools, trained staff, and the desire to assist all State of Florida agencies with Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services. TestPros can provide all of the services requested via this RFI, including: Pre-Incident Services: a) Incident Response Agreements Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident. b) Assessments Evaluate a State Agency s current state of information security and cybersecurity incident response capability. c) Preparation Provide guidance on requirements and best practices. d) Developing Cyber-Security Incident Response Plans Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident. e) Training Provide training for State Agency staff from basic user awareness to technical education. Post-Incident Services: a) Breach Services Toll-free Hotline Provide a scalable, resilient call center for incident response information to State Agencies. b) Investigation/Clean-up Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels. c) Incident response Provide guidance or technical staff to assist State Agencies in response to an incident. d) Mitigation Plans Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities. e) Identity Monitoring, Protection, and Restoration Provide identity monitoring, protection, and restoration services to any individuals potentially affected by a cybersecurity incident. 2

4 TestPros IT security and risk management processes are based on the U.S. National Institute of Standards and Technology (NIST) guidelines as illustrated in Figure 1 (below) and industry best practices, including lessons-learned on many previous Assessment and Authorization (A&A) engagements. Our Security Program approach includes a set of activities with fully documented procedures and checklists extracted from the applicable guidance and standards, which we then assembled into a cohesive process that is fully tailorable to any given phase of the development lifecycle, and encompasses continuous process improvement initiatives. Architecture Description Mission Business Process FEA Reference Models Segment and Solution Architectures Information System Boundaries Repeat as Needed Step 6 MONITOR Security Controls FIPS 199/SP Step 5 AUTHORIZE Information Systems Risk Management Strategy Starting Point Step 1 CATEGORIZE Information Systems FIPS 199/SP RISK MANAGEMENT FRAMEWORK Security Life Cycle Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Information Security Requirements Priorities and Resource Availability Step 2 SELECT Security Controls FIPS 200/SP Step 3 IMPLEMENT Security Controls SP Step 4 ASSESS Security Controls SP 800 Series SP A Figure 1 Risk Management Strategy TestPros provides a comprehensive set of technical support services, embedded with CMMI, ITIL, ISO, IEEE, NIST, and related industry and government standard practices, throughout the full life cycle from software development through system operations/ maintenance (O&M) and sustainment. We follow the PMBOK guidelines, rules and characteristics for project, program and portfolio management. We are well versed in detecting and remediating application and system vulnerabilities (common weaknesses enumerated CWE). Our risk management approach accommodates recursion and refinements, which aligns with iterative/agile approaches necessary for complex systems. It enables us to become involved at any point in the SDLC including with development already in progress, to diagnose issues, to identify remedial steps, and to move forward as integrated participants in each iteration of the system lifecycle processes. 3

5 Figure 2 below shows the major elements of TestPros Security Program. Figure 2 TestPros Performance-based Risk Management Framework Using this information and guidance from NIST SP Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, we will validate the security authorization boundaries and the network segments selected for discovery scan. If a gap it detected, we will report the gap(s) to the COR. TestPros experience in this area includes the discovery and analysis of assets and boundaries for DISA, DHS, DOI, USDA, and several other Federal Agency clients. TestPros will provide all the necessary personnel resources to fully satisfy the requirements of the SOW. TestPros has demonstrated expertise and knowledge in Federal Information Technology (IT) security laws, regulations, policies, and Presidential Decision Directives (PDD) 4

6 to include extensive working experience with applicable National Institute of Standards and Technology (NIST) Federal Information Processing Standard Publications (FIPS Pubs) and Special Publications (SPs). TestPros will review prior year s assessments and any Florida guidance regarding control selection criteria on which to select the controls to be assessed this period for each system. We will review the SSPs to identify control type and ownership, and we may leverage prior year(s) Security Assessment Plans (SAP), if they are deemed useful. TestPros provided research and design services to the DARPA National Cyber Range program - a National Cyber Security asset. TestPros will prepare a Security Assessment Plan (SAP) using the SAP template RMF SAP template v1 to describe the plan, process, and schedule for performance of the assessments for the GSS and the Major Applications. The SAP will clearly communicate the scope of the testing, the controls selected, and the objectives for the security control assessment in accordance with NIST SP A Rev 3 and Rev 4 (as applicable). The NIST SP A Rev 4 control areas are illustrated in Figure 3, below. TestPros will include the validated security authorization boundaries and asset inventory along with rational to support any sampling methodology. The SAP we develop will describe the vulnerability assessment and configuration auditing to be performed, the tools to be used, and any requirements of Florida to permit the tools to be installed and operated within the Florida environment. Identify Protect Detect Respond Recover Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications Figure 3 NIST A Rev4 Security Controls TestPros will provide a draft of the SAP for Florida review and comment, and address comments received within the 5-day review period. TestPros understands that the objectives of a Security Test and Evaluation (ST&E) are to: Uncover design, implementation, and operational flaws that could allow the violation of security policies that may affect the confidentiality, integrity, and availability of the information and information systems; 5

7 Determine the adequacy of security mechanisms, assurances, and other properties to enforce the Department s security policy; and Assess the degree of consistency between the system documentation and its implementation. Figure 4 below shows our general approach and methodology for conducting Independent Security Test & Evaluation (ST&E) in support of this program. Figure 4 TestPros Independent Security Test & Evaluation Process Upon Florida approval of the SAP, TestPros will execute the security control assessments, in accordance with NIST SP A standards, for the GSS and the Major Applications. TestPros will coordinate with the designated Florida points of Defense Security Service (DSS) - IV&V / T&E of Security Tools TestPros provided support to the DSS, conducting testing and evaluation, in our cleared labs, on many leading IT security tools to determine each tool s real-world capabilities and limitations in various server, desktop/laptop, and mobile device environments. This provides us with a unique insight on the most effective use of security tools. contact for information requests to schedule telephone and in person meetings, and to coordinate all technical testing. We understand that Florida will provide necessary credentials to support authenticated vulnerability and configuration scans of the selected devices and applications, and that database vulnerability scanning is not included within the scope of this assessment. TestPros will prepare a Security Assessment Report (SAR) for the GSS and one for each of the Major Applications. TestPros will identify and document control weaknesses with associated assessed risk level and provide recommendations for risk mitigation that will aid system administrators with remediation. We will summarize the results of 6

8 vulnerability and configuration scans and provide detailed reports using the RMF SAR template v1. TestPros will draft (or update the existing) Plan of Actions and Milestones (POA&M) for the GSS and each Major Application. The draft POA&M will identify all weaknesses mapped to security controls, risk level, and TestPros recommendation for mitigation. 7

9 CORPORATE EXPERIENCE: TestPros has been successfully providing independent IT assessment services for the past 25 years. Our experience includes Project Management, Transition Support, Contingency Planning, Emergency Support, IV&V/QA Oversight, Program/System Security, C&A/A&A Support, FISMA/FedRAMP, Continuous Monitoring, Continuous Integration/Configuration Management, Test & Evaluation, Test Automation, Certifying Authority Support, and CONUS and OCONUS support. TestPros holds a Top Secret clearance. We understand Florida s IT security needs and we can provide qualified and appropriately cleared personnel to fulfill these requirements. The table below highlights some pertinent past performance that is relevant to this scope of work. Contract Name DISA Net-Centric Enterprise Services, Enterprise File Delivery DOI HQ, C&A Phase-2 Independent Security Assessment (including Cloud/FedRAMP) Military Health System (MHS) Integrated Information Technology (IT) Solutions C&A Phase-2 Support DARPA National Cyber (Security) Range A&A and IT Security Services Support Internet Consortium (Google, Yahoo!, MSN, AOL, CNET, etc.) SAFE SOFTWARE Agency Defense Information Systems Agency Department of Interior Pacific Joint Information Technology Center (Pacific JITC) Hawaii USDA (various components) Defense Advanced Research Projects Agency U.S. Department of Labor Software Assurance ( Independent Source Code Review ) Project Period of Performance Security Support QA Support T&E Support Monitor Support 05/ / / / / / / / / / / / / /2011 In addition, our experience includes: TestPros is working with a key member of the military industrial complex to provide a software source code security risk and vulnerability assessment (Software Assurance) on over 1 Million lines of source code (based on NSA, NIST, DHS, and DOD security policies as well as commercial best practices). 8

10 DATA QUALITY and DATA SECURITY An organization cannot secure what it cannot define, measure and control. This principle is especially relevant in the context of system testing at Florida. As Florida assesses security capabilities and requirements of its as is systems, it is especially critical that it consider the implications of adopting, or failing to adopt, the data quality aspects of both inputs and outputs of the testing process. Failing to do so increases the potential for maintaining systems that do not perform as intended. Increased security gaps and breeches, costs associated with re-work, and loss of confidence in the ability of the Department to conduct its mission are other possible outcomes. As it relates to Assessment and Authorization, the TestPros team believes it is extremely important to include Data Quality Management as a key component of the Task. By doing so, it will help insure that systems and applications deliver as intended, and only enable access and authorization as they should. As an example, if a building access database is only updated daily, the currency or recency dimension of data quality could be inadequate to meet security requirements: a badge could remain active and enable a terminated employee access. Some other Data Quality related questions that should be considered for Assessment and Authorization include: Does the comparison data used in the assessment and audit process originate from a vetted, authoritative source? Is it complete? Is it accurate? Is the level of detail sufficient? Are the data relevant to the specific user needs? The answers to these questions may not be a simple yes or no, but rather come in the form of the threshold or range of acceptable levels that must be base-lined and or established up front and then measured against during the testing process. Data quality management needs to be a cohesive, integrated process that measures quality levels, analyzes results and addresses the root cause issues. The scope of the data quality process includes people (IT and functional users), process and technology. Re-engineering deployed systems to incorporate added security is a time consuming and costly endeavor. Taking a Data Centric approach to system development will reduce these costs up front. Furthermore, having a Data Quality requirements set enables the IV&V process to achieve its intended effects of identifying unmet requirements during development - as opposed to during user acceptance testing or after rollout. These latter two approaches result in greatly increased costs. Ultimately, the data quality drives the quality of the security processes at Florida. If the data are of poor quality then the process cannot produce quality outcomes. When working with existing systems, a data-driven approach requires data reverse engineering across the multiple interfacing systems. Reverse engineering an organization s data assets has proven a successful approach to 9

11 reconstituting the understanding and/or the physical condition of organizational data systems that have deteriorated or become unclear. This approach will reduce costs in remediating existing systems as well as reduce cost in the development of future state strategic solutions by providing factual information about your data assets; what data exists, where it exists, how it is related to other data assets and the quality condition of those assets. TestPros has extensive directly related experience. We use a combination of automated security tools and processes such as Trusted Agent FISMA (TAF), Nessus, Foundstone, NCircle, Rapid7, BindView, NeXpose, Retina, NetIQ and other security and vulnerability scanning tools and manual testing methods to conduct comprehensive Security Test and Evaluation on customer IT assets. TestPros is also actively engaged with Cloud Security, including the FedRAMP program. FedRAMP Security Process As an enthusiastic government Prime Contractor we ask that you provide TestPros with the opportunity to compete for the IV&V, IT Security, QA, and related support for this program. Please feel free to contact me with any questions or if you need any additional information. Thank you, Kevin Murray President& Founder Direct Dial (703) KMurray@TestPros.com TestPros, Inc Lake Center Plaza, Suite 306 Sterling, VA Office Phone (703)