Professional Documents
Culture Documents
SOW Work-IT-SecReview
SOW Work-IT-SecReview
Statement of Work
Review of IT Security Program and Systems
1.0 INTRODUCTION
1.1 OBJECTIVE
This Statement of Work (SOW) is being issued on behalf of the HGA, located at 1111
First Street, Washington, D.C. 20001. HGA is requesting qualified bidders under the
General Services Administration, Federal Technology Service, Office of Information
Security SAFEGUARD program, to respond to the tasks described in this SOW.
1.2 BACKGROUND
1
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
responsible for the IT modernization effort. OIRM has recently completed the
deployment of local area networks (LANs) in the field offices and is now seeking
to utilize the enhanced technical infrastructure to introduce value-added services
to the HGA user community. In addition to the LAN deployment in the respective
field offices, OIRM is in the process of completing its implementation of a wide
area network (WAN). The WAN hardware being used is Cisco routers. In the
first phase of the implementation, the WAN was extended to the 55 district offices
and the Washington Field Office. In the second phase of the deployment, OIRM
will be extending the WAN to the 25 area and local offices.
The mission-critical Charge Data System (CDS) is installed in each of the field
offices, hosted by Unix-based computers. Upon completion of the LAN
installation, access to CDS is accomplished using TCP/IP across the network-
cabling infrastructure. The desktop PC supports both IPX and IP protocols.
IPX is used to provide connectivity from the desktop to the file server. IP is used
to provide connectivity to the current CDS system and the Internet and will be
used to provide connectivity to the new Integrated Mission System (IMS) in the
future. OIRM has a defined IP/IPX addressing plan for the Agency.
The Agency’s desktop computers are all Pentium class machines with a mix of the
Windows 95/Windows 98 operating systems. All desktop computers in the
Agency are Dell computers.
The minimum file server standard for the Agency is a Pentium, 200 MHZ
machine with a minimum of 128 MB of RAM, and dual 9 GB drives.
The Agency’s current standard for its network operating system is Novell
NetWare 4.11 (IntraNetWare).
2
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
2.0 SCOPE
HGA has an immediate requirement for contractual support for technical security
consulting services for its Automated Information Security Program. As a means of
implementing the General Accounting Office’s (GAO) five best practices for risk
management, HGA is undertaking a review of its entire Automated Systems Security
Program to include risk analysis/vulnerability assessment of its systems, assessment of
the automated security program, security awareness training, development and
enhancement of security plans, continuity and contingency planning, and infrastructure
protection review.
The immediate project requirement consists of the review, revision, and enhancement of
HGA's information technology and automated information security program as mandated
in the Computer Security Act of 1987 and OMB Circular A-130 - Appendix III. The
review process must also consider other Federal guidance, i.e., the impact on system
security through the implementation of electronic signature as part of the Government
Paperwork Elimination Act (GPEA).
The second phase of this project consists of an assessment and recommendations for
HGA’s automated information security program and specific enhancements in the area of
security awareness and training. Security plans for selected HGA systems will be
reviewed and updated as part of this assessment phase. Specific tasks for the project are
described below.
HGA requires contractors with technical expertise in the development and assessment of
automated information security programs, development of security plans, experience in
conducting risk analyses and vulnerability assessments, expertise in continuity and
contingency planning, and proficiency in the development of security awareness training
programs. In-depth knowledge of federal security guidelines, e.g., Computer Security
Act of 1987, OMB Circular A-130 - Appendix III and Presidential Decision Directive
(PDD) 63 as well as Federal and industry security best practices must also be
demonstrated.
3.0 TASKS
3
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
The contractor, working with HGA's computer security program manager and
with other HGA/OIRM officials responsible for the respective HGA systems must
conduct a complete risk analysis. The risk analysis for each system will consist of
six specific elements: definition of scope of analysis, identification of the
agency’s critical assets, determination of the best analytical
(qualitative/quantitative) base for an evaluation, identification of potential risks,
evaluation of the risk profile (vulnerability assessment), and identification and
recommendations for cost-effective safeguards.
The process for the review and creation of the risk analysis report will be the
same for each system under review. The deliverables identified below are
required for each system. The complete set of deliverables will be received and
accepted prior to the start of the process for the subsequent system’s risk analysis.
1. Draft outline. A written draft outline of the risk analysis report must be
provided. This outline will provide the basis for the draft and final report
deliverables for this task. The outline must contain sufficient detail to
indicate all pertinent areas of the risk analysis will be addressed and
should include all areas in which risks will be reviewed, e.g., physical,
operating system, application, data, emergency preparedness, backup,
disaster recovery, etc. This deliverable will be required for ONLY the first
risk analysis. All subsequent risk analyses will utilize the same format.
This deliverable is due 5 working days after the start of this task. The
government will provide written comments within 5 working days after
receipt of the draft outline.
4
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
2. Draft report. A written draft report, based on the approved draft outline,
which contains approximately the first 50% of the elements required in the
risk analysis report is required as a deliverable. The draft report must
contain the complete write-ups for the first half of the risk analysis,
including but not limited to the first 3 items noted above, as well as the
assessment of physical, data, and operating system security. This
deliverable is due 20 working days after the government’s acceptance of
the draft outline. The government will have 10 working days to review
the deliverable and provide written comments to the contractor.
3. Final report. The final report must address all written government
comments on the prior draft. The final report must include the complete
risk analysis for the system, which includes all items identified in the draft
report, the remainder of the risk identification section, and the final 3
items noted above. This final report deliverable is due 20 working days
from the receipt of the government’s comments on the draft report. The
government will have 10 working days to review the final report and
provide written comments to the contractor. The contractor must
incorporate or address all of the government’s written comments before
the deliverable will be accepted as final by the government. The final
deliverable is due 5 days after receipt of the government’s written
comments.
NOTE: Two of the three deliverables (draft and final report) will be
required for all six HGA systems. Therefore, the total number
of deliverables for this task is 13.
5
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
2. Draft report. A written draft report, based on the approved draft matrix
(outline) which contains the results of the review of the HGA Security
Program relative to Federal statutory requirements and Federal agencies’
“best practices” is required as a deliverable. The draft report must contain
sufficient detail to indicate all relative Federal statutory requirements have
6
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
3. Final report. The final report must address all written government
comments on the prior draft. The final report must include all weaknesses
or deficiencies and the recommendations for correction of the weakness or
deficiency. The recommendations must include the level of effort or cost
required to correct the deficiency and must contain enough detail that the
recommendation would be capable of being implemented. The report
should also identify any areas of the HGA Security Directive which must
be modified in light of these recommendations. The final report
deliverable is due 15 working days from the receipt of the government’s
comments on the draft report. The government will have 10 working days
to review the final report and provide written comments to the contractor.
The contractor must incorporate or address all of the government’s written
comments before the deliverable will be accepted as final by the
government. The contractor will have 5 days to finalize the report.
HGA requires technical support in the area of Security Training and Security Awareness.
HGA requires the conducting of security training for HGA’s system owners. HGA also
requires the development of curriculum or security awareness documentation that can be
used on an Agency-wide basis.
7
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
responsibilities relative to their system and to orient them for their role in
assisting the Contractor with the task of developing security plans and operational
procedures (described below). The training modules should be developed
following the general outline documented in NIST Special Publication 800-18,
“Guide for Developing Security Plans for Information Technology Systems”. The
training should be considered fairly high-level and is expected to consist of
approximately 6-8 classroom hours of training material.
The contractor will also conduct an assessment of the current security information
provided to all HGA employees relative to that required by current government-
wide directives such as OMB Circular A-130. Based upon this assessment, the
contractor will update/develop, in conjunction with HGA requirements as
identified in the risk analysis task (defined above), a security awareness
brochure/pamphlet or recommend commercial-off-the-shelf training materials that
can be provided/used by all HGA personnel. This brochure will contain
information required by government-wide directives and specific HGA
implementing procedures and be designed to provide to all employees their
individual security responsibilities.
8
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
The Contractor will review existing computer security plans and operational
procedures for HGA's major application and general support systems written to
comply with the Computer Security Act of 1987, and will revise or update the
plans to reflect system changes. For those major applications or general support
systems for which no computer security plan exists, the Contractor will create
new plans.
The contractor, working with HGA's computer security program manager and
with other HGA/OIRM officials responsible for the respective HGA systems will
update or create new security plans. The revised and new plans will be concise,
but will be written to conform to NIST Special Publication 800-18 (Guide for
Developing Security Plans for Information Technology Systems). The security
plan for each system will clearly define the security requirements, describe the
controls in place or plan to meet these requirements, and delineate the
9
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
responsibilities and expected behavior of all individuals who access the system.
The process for the review and creation of the security plans will be the same for
each system under review. The deliverables identified below are required for each
system. The complete set of deliverables will be received and accepted prior to
the start of the process for the subsequent system’s security plan.
2. Draft report. A written draft report, based on the approved draft outline,
which contains all of the elements required in the security plan will be
required as a deliverable. The draft report must contain all elements of the
security plan including, but not limited to, system identification, system
name/title, responsible organization, information contact, assignment of
security responsibility, system operational status, general description,
system environment, system interconnection/information sharing,
sensitivity of information handled, management controls, and operational
controls. As a draft, the elements in each section can be identified in
10
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
bullet format, i.e., the complete write-up does not need to be drafted, but
must contain enough information to identify key points for each section.
If specific items were unable to be identified, e.g., management or
operational controls, these items must be clearly identified and a
recommendation for corrective action be made. Any such
recommendation should be identified and documented as separate from
the actual security plan. This deliverable is due 20 working days after the
government’s acceptance of the draft outline. The government will have
10 working days to review the deliverable and provide written comments
to the contractor.
3. Final report. The final report must address all written government
comments on the prior draft. The final report must include the complete
security plan for the system. All items identified in the draft report in
bullet format must be expanded into a complete write-up. If specific items
were unable to be identified, e.g., operational or management controls,
these items must be clearly identified and a recommendation for corrective
action be made. Any such recommendation should be identified and
documented as separate from the actual security plan. This final report
deliverable is due 20 working days from the receipt of the government’s
comments on the draft report. The government will have 10 working days
to review the final report and provide written comments to the contractor.
The contractor must incorporate or address all of the government’s written
comments before the deliverable will be accepted as final by the
government. The final deliverable is due 5 days after receipt of the
government’s written comments.
NOTE: These three deliverables will be required for all six HGA systems.
Therefore, the total number of deliverables for this task is 18.
The contractor must identify appropriate technologies for electronic signature and
identify the change in the potential risk and risk profile which might be
introduced as a result of the implementation of such technologies for HGA’s
system for tracking charges (CDS/IMS). This task will not begin until the risk
analyses and security plans for both CDS and IMS has been completed.
11
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
HGA will provide the following facilities, tools, supplies, and resources to aid the
contractor in the accomplishment of the tasks and functions described above.
1. HGA will provide space (a desk and chair) at our headquarters site for up to two
contractors for this project.
2. Each contractor will be provided with at least one (1) telephone and one (1)
computer when working at the headquarters site. Telephones may only be used in
accordance with Federal Guidelines and Standards to conduct HGA-related
12
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
3. On-site contractor personnel have the use of copiers located in the HGA
headquarters building. Copying paper and acetate materials will be supplied by
the Government as needed.
The following operational support will NOT be provided by HGA as part of this contract.
It is the responsibility of the contractor to supply these items, as needed, to accomplish
the tasks described above.
1. Office supplies such as paper, pens, pencils, clips, staplers, or any other general
office supplies.
5.0 PERSONNEL
Resumes for all individuals proposed for each task should be submitted as part of the
proposal in accordance with previous standards set under the GSA Federal Technology
Service's (FTS) Safeguard contract. In addition, the specific staff categories described
below must also be addressed. Personnel must have demonstrated experiences,
documented in their resume, in support of the specific task for which they are being
proposed.
13
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
2. Security analyst skill set is required. Skills in the assessment and development of
security plans, conducting of risk analyses and vulnerability assessments based
upon the Federal sector requirements. Current experience in reviewing,
documenting, and auditing security requirements for systems built using state-of-
the-art technologies, e.g., Internet/Intranet services, WEB and WEB-enabled
applications, HP UX, Oracle dbms, etc. Expertise in performing information
systems auditing is required.
5. The specific individuals proposed for each task must be made available, at the
appropriate time in the project, to work full-time on the tasks described in this
Statement of Work.
6. All personnel with the above defined skill set related to this Statement of Work
are considered Key Personnel. Offerors may NOT replace Key Personnel after
the technical evaluation is completed unless the individual is no longer an
employee of the Offeror or unless written permission is obtained from HGA. This
clause supersedes any other statements on personnel associated with this contract.
A bid on this Statement of Work constitutes acceptance of this clause.
7. All personnel must be fully trained and ready for the tasks for which they are
proposed, prior to becoming billable through this contract.
The Contractor shall submit reports and other deliverables in accordance with the
14
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
6.1 Meetings
Within one week of notification of the award, the contractor will schedule a kick-off
meeting with the government. The contractor will prepare an agenda for the meeting.
The contractor will provide to the government at the meeting a list of documentation
needs which will be required to be provided by the government in order for the contractor
to successfully complete each of the tasks in this project. The contractor will also prepare
a schedule which includes milestones dates for all deliverables in this project.
A regularly scheduled status meeting will be held every two weeks during the course of
the project. The contractor will be responsible for preparing the agenda, documenting the
meeting through meeting notes, and maintaining an up to date project schedule.
6.2 Reports
The contractor shall submit monthly progress reports. The progress report shall contain
an executive summary, information on significant activities, progress on work associated
with the tasks, and funds status. The report shall be submitted 10 working days after the
reporting period and will be submitted electronically in WordPerfect 8.0 format.
The confidentiality and disclosure provisions of Title VII of the Civil Rights Act of 1964
and Title I of the American with Disabilities Act prohibit disclosure of any charge or
charge-related information. The contractor shall agree that such information will not be
disclosed and will only be used for the performance of their responsibilities under this
task order.
15
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
8.1 Instructions
1. Describe the approach, methodology, technique, or plan that you are proposing to
accomplish each task. Each task should be identified separately using the
parameters defined in the scope section.
3. Provide resumes for the person(s) that you are proposing to accomplish each task.
Heavy emphasis will be placed on the skills and previous experiences of proposed
personnel.
4. Provide a quality assurance and project plan which identifies the deliverables in
the project, time frames for completion, milestone dates, and the management
controls which will be put in place to ensure the product is completed in the time
frames and for the funding defined.
All Offerors must submit a proposal that addresses all tasks described in this Statement of Work.
The technical portion of this proposal is worth 80 points while the cost portion is worth
20 points. HGA will follow the standard procedures established under the GSA/FTS/OIS
Project Safeguards Contract to evaluate the technical portion of the proposal. Table 1
shown below describes the areas of evaluation and the weighted score values for the
technical portion.
TABLE 1
Evaluation Criteria and Scores
16
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
2. Past performance 25
17
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
Network (Agency's Local and Wide Area Office of Primary general support
Network (WAN) Information system for HGA's Local and
Resources
18
U.S. Equal Employment Opportunity Agency
Statement of Work for Automated Information Security Program Update
19