USCG RFP: Information Assurance (IA) Risk Management Framework (RMF) Support Services IDIQ

Notice ID:  70Z04424RESDIAB01

Related Notice:  70Z04423IESDIAB01

This is a combined synopsis/solicitation for commercial services prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice, to award a single-award Indefinite Delivery/Indefinite Quantity (IDIQ) contract.

The Contractor must provide Information System Security Officer (ISSO) and Alternate ISSO (AISSO) services, Information System Security Engineer (ISSE) services, Security Control Assessor (SCA) services, and Cybersecurity Compliance and Readiness Services as described below to meet the requirements of the USCG Cybersecurity RMF process and cybersecurity of USCG Information Systems.  The Contractor must furnish all the necessary personnel, materials, equipment, facilities, travel and other services required to satisfy all task order requirements unless otherwise specified.

Task Area One:  Information System Security Officer (ISSO) Services

  1. Serve as the designated ISSO for assigned systems.
  2. Lead the RMF process for assigned programs, organizations, systems, or enclaves.
  3. Generate as appropriate, or gather, assess, and maintain the RMF documentation package that meets all Department of Defense (DoD) requirements and is tailored to a specific system. Documentation may include but is not limited to: Security Categorization Determination, Implementation Plan, System Security Plan (SSP), Configuration Management Plan (CMP), Incident Response Plans (IRP), Contingency Plans (CP), Authorization documentation, IT Security Plans of Action & Milestones (POA&Ms), Scorecards, Security Assessment Reports (SAR), Continuous Monitoring Strategy, Vulnerability Scans, Hardware/Software lists, Threat Models, Cybersecurity Strategy, Network Topology, Network Cybersecurity Boundary Diagrams, and Data Flow Diagrams using Government prescribed tracking and processing tools.
  4. Ensure that all DoD Information System (IS) cybersecurity-related documentation is current and accessible to properly authorized individuals.
  5. Interpret system designs and diagrams for the purposes of identifying data interconnections, interfaces, protocols, and data types in order to select appropriate controls to remediate or minimize Cybersecurity risk exposure to the Coast Guard.
  6. Provide support and develop a connection approval package such as an Interconnection Security Agreement (ISA), Memorandum of Understanding (MOU), Service Level Agreement (SLA), and so forth, for systems that require connectivity to any type of USCG Local Area Network (LAN) (i.e. DoD Information Network (DoDIN), CGOne, SIPRNet) …

Task Area Two:  Information Systems Security Engineer (ISSE) Services

  1. Serve as the Information Systems Security Engineer (ISSE) providing technical input, recommendations, and assistance with the implementation of both higher and granular-level cyber security approaches, methods and solutions that incorporate and maintain compliance to requirements resulting from laws, regulations, and other pertinent guidance.
  2. Participate in acquisition meetings (PMR, PDR, CDR, etc.), concept of operation (CONOP) working groups, change boards, technical exchange meetings and other similar activities. Design and develop security requirements that drive down risk while maintaining operational capability.
  3. Work between architecture-level and implementation-level engineering meetings to maintain a system-wide view of security functions and apply risk mitigation strategies at the appropriate level.
  4. Provide guidance on work against program requirements and goals. This includes participating in technical discussions, trade studies and working groups, and conducting research on industry best practices for potential implementation …

Task Area Three:  Security Control Assessor (SCA) Support Services

  1. Support the development, and review of any plan that includes control assessment and implementation including Security Assessment Plans, System Security Plans, and any other security-developed document referring to security and/or privacy controls.
  2. Assess the security and privacy controls in accordance with the assessment procedures defined in the security assessment plan.
  3. Prepare the security assessment report documenting the issues, findings, and recommendations from the control assessment.
  4. Assess a selected subset of the technical, management, and operational controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy …

Contract Ordering Period: Five (5) years.

Read more here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here