RFQ OIT-1 Q&A. Questions and Answers, in the order received.

Similar documents
RFQ OIT-1 Q&A. Questions and Answers, in the order received.

American Association for Laboratory Accreditation

Exhibit A1-1. Risk Management Framework

Request For Proposal ONWAA Website & E-Learn Portal

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Update on the Key Initiatives Recommended by NTT Data regarding the Agency Cyber Security Framework

Request for Proposal for Technical Consulting Services

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Questions Submitted Barry County Michigan Network Security Audit and Vulnerability Assessment RFP

Service Description: Advanced Services- Fixed Price: Cisco UCCE Branch Advise and Implement Services (ASF-CX-G-REBPB-CE)

Administrative & Operations Network Security Assessment

White Paper. How to Write an MSSP RFP

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

FIJIAN ELECTIONS OFFICE SYSTEM CONSULTANCY AUDIT. Expression of Interest (EOI) (04/2017)

OVERARCHING SECURITY CONSULTING SERVICES SAWS Solicitation No. R JAM. ADDENDUM NO. 1 February 28, 2018

State of Nevada Legislative Counsel Bureau 401 S. Carson Street Carson City, NV voice facsimile

FedRAMP Security Assessment Plan (SAP) Training

OHIO TURNPIKE AND INFRASTRUCTURE COMMISSION 682 Prospect Street Berea, Ohio 44017

How to Write an MSSP RFP. White Paper

Service Description: Identity Services Engine Implementation-Subscription Service

CoreMax Consulting s Cyber Security Roadmap

READ ME for the Agency ATO Review Template

Community College of Vermont

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Service Description: CNS Federal High Touch Technical Support

HPE Data Replication Solution Service for HPE Business Copy for P9000 XP Disk Array Family

VMware vcloud Air Accelerator Service

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

WORK AUTHORIZATION NO. 4 CONTRACT FOR PROFESSIONAL ACCOUNTING SERVICES

Request for Proposal (RFP)

Service Description: Advanced Services Fixed Price Cisco WebEx Advise and Implement Service (0-5,000 Users) (ASF- WBXS-UC-PDIBSE)

MIS Week 9 Host Hardening

REPORT 2015/149 INTERNAL AUDIT DIVISION

Metropolitan Washington Airports Authority PROCUREMENT AND CONTRACTS DEPT. AMENDMENT OF SOLICITATION

Vulnerability Assessments and Penetration Testing

Community College of Beaver County. Request for Proposal. April 15, 2019

FedRAMP Training - Continuous Monitoring (ConMon) Overview

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Summary. Program Overview. Notice Type: Request for Proposal. Short Title: CEI Industrial Refrigeration Technical Support

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

Cybersecurity & Privacy Enhancements

Service Description: Cisco Security Implementation Services. This document describes the Cisco Security Implementation Services.

SSC Transformation Initiative Fairness Monitoring Services

Housekeeping Items. 1. Sign in sheet and business cards. 2. Recording. 3. General Questions. 4. Technical Questions to City (Diana Chang)

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Physical Security Reliability Standard Implementation

VMware BCDR Accelerator Service

Manchester Metropolitan University Information Security Strategy

Request for Qualifications for Audit Services March 25, 2015

Standard Development Timeline

Standard Development Timeline

Managed Security Services - Endpoint Managed Security on Cloud

ADDENDUM #2 Boulder County Sheriff s Office Electronic Health Record System for the Boulder County Jail RFP #

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Framework for Improving Critical Infrastructure Cybersecurity

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

Cisco Data Center Accelerated Deployment Service for Nexus 9000 (ASF-DCV1-NEX-ADS)

Cisco QuickStart Implementation Service for Tetration Analytics Medium

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Request for Proposals for Data Assessment and Analysis

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

March 1, Dear Vendors: Reference: RFQ No. FY Subject: Website Consulting Services

DFARS Defense Industrial Base Compliance Information

FDIC InTREx What Documentation Are You Expected to Have?

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY DEPARTMENT OF PROCUREMENT

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

HPE 3PAR Remote Copy Extension Software Suite Implementation Service

Vol. 1 Technical RFP No. QTA0015THA

Appendix 6 Operational Support Systems Change Management Plan

The Project Charter. Date of Issue Author Description. Revision Number. Version 0.9 October 27 th, 2014 Moe Yousof Initial Draft

Information Technology Security Audit RFP2018-P02 - Questions and Answers

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

WHITE PAPER- Managed Services Security Practices

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Chapter 5: Vulnerability Analysis

Ariba Supplier Network (ASN) is the network used to communicate between users of the Ariba software and the Contractors.

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

COMPLIANCE IN THE CLOUD

PROFESSIONAL SERVICES (Solution Brief)

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Standard CIP Cyber Security Critical Cyber Asset Identification

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

Appendix 2B. Supply Chain Risk Management Plan

Service Description: Advanced Services Fixed Price

INSTRUCTIONS FOR RESPONSE TO REQUEST FOR BEST VALUE PROPOSALS (RFP) #852W001

HPE 3PAR StoreServ Data Migration Service

Certified Information Security Manager (CISM) Course Overview

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Washington State Emergency Management Association (WSEMA) Olympia, WA

Request for Comments (RFC) Process Guide

Transcription:

Question Does the system have an existing SSP? Do they use a system like Xacta or CSAM to generate the SSP. Will they provide us the current POAM list? Will they provide scanning tools or we have to bring our own? RFQ 2200-1715-OIT-1 Q&A Questions and Answers, in the order received. What s the number of OS servers, DB servers, Web Application servers we have to scan? Is there a format they prefer for the Security Assessment Report? Will previous SAR s be provided for reference? Answer N/A N/A The vendor will be allowed to utilize their own scanning tools during business hours. OSCA will not provide access to their scanning solutions. 10-15 OS Servers / 5-10 DB Servers, 5-10 Web application servers format preferred. Previous SAR is N/A Are there insurance requirements specific to this contract that are in addition to that required by the Term Contract? Will the Assessment Team have access to the locations during non-business hours and during business hours for conduct of the assessments? Can the vendor bring their own equipment into the OSCA environment? Is there an expectation for Penetration Testing to be part of the Vulnerability Assessment solution?. The assessment team will have access during business hours only which are Monday-Friday, 8Am to 5PM Eastern Standard Time. Penetration testing is not part of this assessment. Does the Customer have a vulnerability scanning and pen testing program already in place? Or does it have access to scan results from vendors if outsourced?, OSCA utilizes a vulnerability scanning solution. The vendor may utilize their own vulnerability scanning solution. OSCA will not provide access to their vulnerability scanning solution. If no vulnerability scan program, is the Contractor expected to conduct a vulnerability scan?. Has a similar assessment or audit been performed in the recent past?. Is the budget of $55K listed on page 1 the budget for this project? If not, what is the estimated budget?, the budget for this project is $55,000 Please confirm that the Florida Cybersecurity Standard Risk Assessment Tool is not included in the scope of this RFP. Correct, the Risk Assessment Tool is not within scope.

Please confirm vulnerability assessment scanning is not included in the scope of this RFP. Vulnerability assessment scanning is within scope. The Initial Draft due 8/20/2018 states, Delivery: An initial draft of the IT Security Risk Assessment Report shall be provided to OSCA for review to ensure the document conformance with the SOW. OSCA shall provide feedback within 7 days of receipt of the initial drafts. This feedback will include any changes or adjustments vendor is to make to the document prior to submission of the final deliverable. If OSCA takes the full 7 days to provide feedback to the draft, it will not be possible to provide the Final Draft by 8/27/2018. Will OSCA consider changing the Final Draft of IT Security Risk Assessment Report due date from August 27, 2018 to a later date to allow the contractor to receive and integrate comments from OSCA into the Final Draft Report? Given the limited budget for this project, will OSCA waive the requirement for inperson briefings (limit 2) and consider Webex/teleconference as an acceptable method to meet this requirement for remote participants to reduce/limit the cost of travel?. The OSCA is willing to adjust the dates as follows: The initial draft will still be due on 8/20/18. The OSCA will provide changes and/or adjustments to the vendor by 8/25/18. The final draft will be due from the vendor by 5pm on 8/30/18. The RFQ states there are 100+ server endpoints, please specify the exact number 268 Specify the number of actual servers, both physical and virtual. 63 Physical Servers / 205 Virtual Servers The RFQ states there are 200+ user endpoints, please specify the exact number. Estimated 208 The RFQ states there are 20+ application, please specify the exact number. Are they off-the-shelf or in-house developed? Please specify the numbers for each. Is this risk assessment to be in compliance with Rules 74-1 and 74-2 of Florida Administrative Code? Are we expected to use the AST Florida Cybersecurity Standards-Risk Assessment Tool V1.0 as part of this engagement? OSCA administers over 80 in house and third party applications. Within the scope of this RFQ is 20-25. Total Agency Budget is listed as $55K. Can OSCA please clarify if this is the total budget available for this risk assessment? $55,000 is the total budget available. Will the vendor be required to compile risk assessment results in the FCS 74-2 template that was developed by AST for similar Agency risk assessments in 2016-2017?

Is the scope of work limited to assets that are supported and maintained by OSCA at the data center located within the Florida Supreme Court building? If not, what other assets are in scope? Are the user and server endpoints and applications in this table all considered in scope? If so, are they all supported and maintained by OSCA at the data center located within the Florida Supreme Court building? Will the vendor have access to OSCA threat intelligence feeds? OSCA will not provide access to their threat intelligence feeds. OSCA will not provide access to their vulnerability scan and Will the vendor have access to OSCA vulnerability scan and assessment reports? assessment reports. Is technical configuration/vulnerability testing included as part of the overall NIST CSF framework and in scope for this assessment? Is the vendor performing the assessment expected to complete the AST CSF spreadsheet? Will the Office consider a 30-day extension to the assessment timeline (final due 10/1 instead of 9/1)? Based on prior experience with this assessment is other State for Florida entities, we anticipate the Office will need a couple of weeks minimum to prepare, collect documentation, schedule SME interviews, etc. OSCA will consider a 30 day extension to the assessment timeline. What is the Office s budget for this project? $55,000 What is the total Agency total budget? The RFQ states 55,000 and is unclear what this figure is intended to communicate. $55,000 Please confirm the number of physical locations in scope of this RFQ are two (2). In Section 1.B of the Overview, the Florida Supreme Court and OSCA Annex are indicated. The physical location of the Florida Supreme Court is only within scope. Please indicate if this is a governance-only assessment? For this RFQ is OSCA considering network vulnerability assessments and network penetration testing within scope? The scope of this risk assessment is outlined in Section VII in which states that the assessment shall evaluate the processes, policies, and procedures of OSCA and how they align with the resources identified as part of the NIST Cybersecurity Framework. This assessment is not governance only. Network vulnerability assessments are within scope. Network penetration is not.

If yes, then several additional items will be needed to understand the services the complexity of the environment. OSCA's infrastructure primarily consists of Microsoft solutions (desktop O/S, Server O/S, Active Directory, IIS). OSCA primarily uses Microsoft SQL and Oracle for database functions. OSCA consists of many in-house web applications to facilitate services but manages web applications developed by a third party. Within the scope of this RFQ is the data center housed in the Florida Supreme Court building that serves the Florida Judicial Branch and the information technology assets that provide the services. For this RFQ does OSCA require a full project management plan? If yes, will templates be made available prior to the start of the project?. Vendor may use their own template. Will OSCA provide a copy of a previous assessment or template at the start of the project?. Failure to accept a deliverable within twenty (20) calendar days means automatic non acceptance Please indicate the scenario where this could occur? This statement appears to indicate that a deliverable could inadvertently be rejected if a reviewer were to be This is standard language and OSCA does not have a scenario where out for illness. this would be applicable. Please indicate if conference rooms will be available for required meetings such, OSCA will be able to accommodate the vendor for required as kick-off and final presentations. Will OSCA schedule these on the vendor s meetings and final presentations. OSCA can schedule meetings on behalf? behalf of the vendor if necessary. Please indicate OSCA s expectations for on-site meetings and/or status reports? Please confirm the vendor should use pricing under GSA Schedule 70. The cover page lists these two contracts: STATE ALTERNATE CONTRACT SOURCE 252-GSA-SCHEDULE 70, Cyber Security and IT Professional Services STATE TERM CONTRACT NUMBER 973-000-14-01, Management Consulting Services OSCA expects on-site meetings with staff to be timely and precise. OSCA also expects that status reports provide a summary of completed actions, and subsequent action items with estimated timeframes for future activities. OSCA will accept meetings via video or web conferencing solution(s) in lieu of in-person meetings. The vendor should providing best and lowest pricing available, whether based on the contract(s) or otherwise. The contract(s) provide maximum pricing. Does OSCA currently have vulnerability and compliance assessment tools deployed to the enterprise (e.g. Tenable Nessus, HP Web Inspect, etc )?

Does OSCA currently have System Owners, ISSOs, Technical leads currently in place for the system? Has the system been categorized as High, Moderate or Low? Does the system have PII? Does the assessment include any hot failover or continuity of operations facilities? Does OSCA utilize a system of record manager such as CSAM, XACTA, or ARCHER?, there is no current data classification defined., PII does exist. Section I. Para B Current State Information. First row. What does 55,000 on first row represent? Does this mean the total agency budget is $55,000?, $55,000 is the total agency budget. For Section VII Para A.1 The listed functions to be assessed do not seem to include all the NIST SP 800-53 security controls. Please confirm that the security The security controls listed are the only required for the OSCA controls listed are only required for the OSCA assessment assessment. Section IX Quote Submission. Tab B. Para C. Only info provided about the OSCA IT system is provide in Section 1, Para B. Respectfully request government provide a more detailed overview of the current OSCA IT security model/systems and business rules/data. This would help in scoping a response to this area. OSCA serves as the administrative arm of the Florida State Courts which include the Florida Supreme Court and the five Appellate Courts. OSCA IT staff administer a data center within the Florida Supreme Court building. OSCA IT infrastructure includes, but is not limited to - Microsoft Active Directory, Exchange, Windows Servers, Windows Desktops, in-house developed applications, criminal justice information systems (CJIS) systems of which are governed by the FBI CJIS security policy and FDLE. Is this the first time a risk assessment of this nature has been conducted within this environment? Past Experience and Understanding of Customer Needs (Page 7, Tab B (A)). Is it required that the offeror has had direct past experience with OSCA or the State of Florida?. Pricing should be the best and lowest available pricing for the services to be rendered. The contract(s) providing maximum pricing Price Sheet (Page 8, Tab D). Can we use our prices that are established in our for services; if lower pricing is available, that pricing should be GSA Schedule 70 if we are not on the State Term Contract? quoted. Section XIV (B). Is this project funded?

Is there a provided Price Sheet from the State or should each vendor use their own price templates? Own templates. What is the time deadline on 6/12/18 to submit? Will this submission be to email or in a portal? The OSCA will accept submissions through 11:59pm on 6/12/18. OSCA will accept meetings via video or web conferencing solution(s) in lieu of in-person meetings. However, vendors will not be provided remote access for technical actions of the assessment and will Can this work be completed remotely? require the vendor to be onsite. Are all Access Points in the same location? After the vulnerabilities have been identified. (a) Are additional tasks or testing required? (b) Only a report is required? Although much of the wording of the RFQ reads as if this is a policy and procedure assessment, do you also want technical verification that the various processes are in place? This would require some technical testing.. Technical verification is not necessary, identification is. Within the scope of this RFQ is that the vendor have the capability of identifying vulnerabilities of critical systems. t within the scope of this RFQ is verifying that the vulnerabilities can be verified by pen testing.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback