Introduction
The United States African Development Foundation (ADF) is an independent Federal agency established to support African-designed and African-driven solutions that address grassroots economic and social problems. ADF provides grants directly to under-served and marginalized community groups and enterprises. The grants help organizations create tangible benefits such as increasing or sustaining the number of jobs in a community, improving income levels, and addressing social development needs. ADF is a public corporation with a seven member Board of Directors who are nominated by the President and confirmed by the United States Senate.

ADF is a Federal grant-making public corporation and can be characterized as a micro-agency with 50 staff members in Washington. Washington staff communicates with approximately 100 contractors and partners in 20 countries in Africa via email and telephone. ADF's annual budget is approximately $30 million per year.

To support its mission and the work of its staff, the Foundation operates an internal computer network. Network integrity and reliability is critical to ADF's operations and e-mail and Internet connectivity is critical to ADF's ability to work with its partners and clients throughout Africa. The ADF network is best characterized as a Wide Area Network (WAN) and includes various servers, client computers, printers, firewalls, intrusion detection systems, offline storage devices, routers, switches and other devices deployed both in our offices in Washington, DC, and in Africa. The internal network utilizes Microsoft Windows operating systems and application software. In addition to internal operations, the WAN provides for Internet e-mail and Internet connectivity for ADF.

Statement of Work

Scope This Statement of Work presents two tasks both of which will examine two systems at USADF.

System 001- USADF Wide Area Network (WAN)
The (WAN) comprises the system of routers, switches, firewalls, servers, and conduits that supporting the connectivity of the USADF wide area network and provides the single interface to the VERIZON backbone network for Internet access. This infrastructure and WAN connectivity is bounded by a border/gateway router and perimeter firewall and includes software and hardware applications, workstations, servers and switches.

System 002- USADF Program Support Systems (PSS)
The Program Support Systems (PSS) is comprised of system applications that support the Foundation's organizational requirements, under the management of the Management Division. The (PSS) is comprised of the following mission support applications:
• Grants Management Database (GMDB) Application
• Pro Req Procurement System
• ADF Web Software Application

I. Risk Assessment

The contractor shall perform a risk assessment on the two specified systems. Along with other elements of the U.S. African Development Foundation information security plans, the assessment of risk is an important activity that directly supports security accreditation as required by the Federal Information System Management Act (FISMA) and Office of Management and Budget (OMB) Circular A-130, Appendix III. Risk assessments influence the development of the security controls for information systems and generate much of the information needed for the associated system security plans.
The risk assessment shall be performed in consideration of the requirements outlined in the Federal Information Processing Standard (FIPS) 200, "Minimum Security Requirements for Federal Information and Information Systems", and characterize the information processed by the specified system using the (FIPS) 199, "Standards for Security Categorization of Federal Information and Information System".
In addition, the processes and controls presented in the following National Institute of Standards and Technology (NIST) Special Publications shall be followed and referenced as well, including:
• National Institute of Standards and Technology Special Publication 800-37 Rev 1, "Guidelines for Security Certification and Accreditation of IT Systems", (February 2010).
• National Institute of Standards and Technology Special Publication 800-53, Rev 3, "Recommended Security Controls for Federal Information Systems and Organizations", (August 2009).
• National Institute of Standards and Technology Special Publication 800-60, Volume I-Rev 1, "Guide for Mapping Types of Information and Information Systems to Security Categories" and Volume II-Rev 1 "Appendices to Guide for Mapping Types of Information and Information Systems to security Categories", (August 2008).
The risk assessment will accomplish the following tasks.
1. Identification of the information types processed by the system associated with the appropriate NIST SP 800-60 information type; the appropriate information sensitivity for confidentiality, integrity, and availability; and the rationale for the sensitivity.

2. Identification of Specified system user types and associated roles and responsibilities.
3. Identification of risk assessment team members and their associations.
4. A description of the risk assessment approach and techniques, where the techniques include documentation review, interviews, observation, and hands-on system assessment.
5. A description of the risk scale used, including at a minimum, the potential impact as defined in FIPS (199), and likelihood as defined in NIST SP 800-30, "Risk Management Guide for Guide for Information Technology Systems".
6. A list of potential system vulnerabilities.
7. A list of potential threat-sources applicable to the system, including natural, human, and environmental threat-sources.
8. A table of vulnerability and threat-source pairs and observations about each.
9. Detailed findings for each vulnerability and threat-source pair discussing the possible outcome if the pair is exploited; existing controls to mitigate the pair; the likelihood determination as high, moderate, or low; the impact determination expressed as high, moderate, or low; the overall risk rating based upon the risk scale; and the recommended controls to mitigate the risk.
10. A summary that includes the number of high, moderate, and low findings and provides a list of prioritized action items based upon the findings.
The risk assessment shall be documented in a report that follows the US Nuclear Regulatory Commission Template for Risk Assessment Report. The report shall be delivered in draft form and then in final form after ADF comments are incorporated. The ADF IT Security staff review of the draft is required to ensure compliance. The ADF Senior IT Security Officer must approve the final to enable system accreditation.
The contractor will track any residual risk in the Plan of Action and Milestones (POA&M). The contractor shall document the results of the process. This shall include documenting the risk number, a description of each risk, the type of risk (i.e., impacting the confidentiality, integrity, or availability), the level of risk (i.e., low, moderate, or high), the associated controls, and the action(s) required or actually performed to eliminate or minimize each risk. The goal is for ADF and contractor personnel to remediate all high and moderate security findings, and track the remaining security findings in the POA&M.
II. Security Testing and Evaluation

The contractor shall perform security tests and evaluations (ST&Es) on two specified systems. The purpose of these tests and evaluations is to examine compliance with the security requirements documented in the systems' security plans and to verify that the security controls identified in the plan are correctly implemented. The testing and evaluation process is to provide a report for each system and its components with regard to the security status of each as they are examined during the test period.
The overall objective of the ST&Es is to ensure that a comprehensive test is successfully completed that covers all appropriate security requirements, involves all necessary individuals, and ultimately provides the information needed to support the Certification & Accreditation (C&A) process. The accepted processes will examine the systems in their production environment as hosted and supported by ADF. Interviews with system users and network support personnel from ADF will provide supporting information and insights into the implementation and operation of this system.
The ST&E effort will accomplish the following tasks.
1. Review system documentation.
2. Review results of system Risk Assessment. Identify key areas of interest.
3. Establish schedule for interviews and vulnerability scans.
4. Conduct interviews. Perform vulnerability scans.
5. Consolidate information gathered from interviews, scans, and checklists.
6. Analyze results.
7. Compile documentation for ST&E reports including information on the testing tools used.
8. Prepare recommendations / final report.
This ST&E will be performed in accordance with the following:
Publications, Policies, Directives and Instructions
• Committee on National Security Systems (CNSS) Instruction 4009, "National Information
Assurance Glossary", (June 2006).
• Committee on National Security Systems (CNSS) Instruction 1253, "Security
Categorization and Control Selection for National Security Systems", (October 2009).
• Office of Management and Budget (OMB) Circular No. A-123, "Management Accountability and Control", (December 2004).
• Office of Management and Budget (OMB) Circular No. A-130, Appendix III, "Security of Federal Automated Information Resources", (November 2000).
• Office of Management and Budget Memorandum M-02-01, "Guidance for Preparing and Submitting Security Plans of Action and Milestones", (October 2001).
• Office of Management and Budget, Federal Enterprise Architecture (FEA) Program Management Office, FEA, "Consolidated Reference Model Document", October 2007.
• Office of Management and Budget, Federal Enterprise Architecture (FEA) Program Management Office, FEA, "Practice Guidance", (November 2007).
Standards
• National Institute of Standards and Technology Federal Information Processing Standards Publication 199, "Standards for Security Categorization of Federal Information and Information Systems", (February 2004).
• National Institute of Standards and Technology Federal Information Processing Standards Publication 200, "Minimum Security Requirements for Federal Information and Information Systems", (March 2006).
Guidelines
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems", (September 1996).
• National Institute of Standards and Technology Special Publication 800-18, Rev 1, "Guide for Developing Security Plans for Federal Information Systems", (February 2006).
• National Institute of Standards and Technology Special Publication 800-27, Rev A, "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)", (June 2004).
• National Institute of Standards and Technology Special Publication 800-30, "Risk Management Guide for Guide for Information Technology Systems", (July 2002).
• National Institute of Standards and Technology Special Publication 800-37 Rev 1, "Guidelines for Security Certification and Accreditation of IT Systems", (February 2010).
• National Institute of Standards and Technology Special Publication 800-39 (Second Public Draft), "Managing Risk from Information Systems: An Organizational Perspective", (April 2008).
• National Institute of Standards and Technology Special Publication 800-53, Rev 3, "Recommended Security Controls for Federal Information Systems and Organizations", (August 2009).
• National Institute of Standards and Technology Special Publication 800-53A, "Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans", (July 2008).
• National Institute of Standards and Technology Special Publication 800-59, "Guideline for Identifying an Information System as a National Security System", (August 2003).
• National Institute of Standards and Technology Special Publication 800-60, Volume I-Rev 1, "Guide for Mapping Types of Information and Information Systems to Security Categories" and Volume II-Rev 1 "Appendices to Guide for Mapping Types of Information and Information Systems to security Categories", (August 2008).
• National Institute of Standards and Technology Special Publication 800-64, Rev 1, "Security Considerations in the Information System Development Life Cycle", (June 2004).
• National Institute of Standards and Technology Special Publication 800-70, "Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers", (May 2005).
• National Institute of Standards and Technology Special Publication 800-83, "Guide to Malware Incident Prevention and Handling", (November 2005).
• National Institute of Standards and Technology Special Publication 800-94, "Guide to Intrusion Detection and Prevention Systems (IDPS)", (February 2007).
• National Institute of Standards and Technology Special Publication 800-100, "Information Security Handbook: A Guide for Managers", (October 2006).
• African Development Foundation, "IT Security Program Policy and Minimum Implementation Standards." (September 15, 2009).

The contractor shall document the results of the process. This shall include documenting the tests and their results. The information shall be complete and detailed enough for USADF personnel to remediate all findings, and track these and any remaining findings in the POA&M.
Proprietary Information
All information and documents made available to the contractor during the course of this contract are deemed official use only as they provide information on system vulnerabilities, and shall be returned to the ADF upon completion on the contract.

Summary of Deliverables
The contractor shall submit all deliverables in paper copy and in electronic format in Microsoft Word on CD-ROM and are due at the timeframes outlined below.

a) General Work Plan and Schedule (2 weeks after task award)
b) Draft Reports (targeted to be not later than Oct 30, 2010)
c) Final Reports (targeted to be not later than Nov 30, 2010)

Payment Schedule

a) General Work Plan and Schedule 10%
b) Draft Reports 30%
c) Final Reports 60%

Timeframes

9/7/10 SOW Posted
9/15/10 Bidders Questions Due
9/21/10 ADF posted answers
9/27/10 Final Bids Due
10/1/10 Evaluations completed
10/8/10 Contract Awarded
10/13/10 Contract Work Begins

Structured Proposal Format and Evaluation Criteria
(Your proposal will be evaluated on six criteria below, per the weighting indicated.)

Complete the following on a separate page

- Contact Information: (Name, email, telephone, address)

- Description of your business (not to exceed one page):

1. List Three Business References and contact information for the past three Certification and Accreditation (C and A) you successfully conducted for a federal, state, or county agency. Include name, contact information, and type of C and A performed. (20%)

2. Discuss your recent Risk Assessment experience and how it relates to this request (not to exceed one page). Please provide a sample. (20%)

3. Discuss your recent Security Testing and Evaluation experience and how it relates to this request. (not to exceed one page) (20%)

4. Discuss your recent Project Management and Client Management experience and how it relates to this request. (not to exceed one page) (20%)

5. Cost Proposal (10%):
Please estimate the man hours required to accomplish this project:
Part 1 - Plan and Schedule :
Part 2 - Testing and Draft Report
Part 3 - Final Report

Total Hours:

What is your hourly rate?

Incidentals Costs:

Total Proposed Fixed Price for this Project:

6. General Timeline and Estimated date of Completion (10%):

Signature and Date:

10/4/10 Final Bids Due

10/8/10 Evaluations completed

10/15/10 Contract Awarded

10/20/10 Contract Work Begins

Statement of Work

1.  Are the two systems currently approved to operate or is this initial certification and accreditation for them?

     ANSWER: Currently Approved

2.  If they are currently approved to operate, what is the expiration date(s) of the current approvals?

     ANSWER: November, 2010

3.  Have the SSPs for the systems been developed and approved or is the contractor expected to develop them?

ANSWER: The System Security Plan (SSP) is expected to be developed by the contractor and will be compliant with NIST SP 800-18.

4.   Are business continuity/disaster recovery plans in place for  the two systems?

ANSWER: NO

5.       Is this a new requirement or a follow-on contract?

ANSWER: New Requirement

6.      If this contract is covered by the Service Contract Act (SCA) please indicate which specific job code on the Wage Determination (WD) that is most closely related to the services required?

ANSWER: Not Applicable

7.      Where is the place(s) of performance - CONUS or OCONUS?  If OCONUS, would you care to share what country or countries?

ANSWER: Washington, DC (CONUS)

8.       If travel will be involved, will it be a separate CLIN or rolled up into Incidental Cost?

ANSWER: Not Applicable

9.       Has ADF decision makers prepared or briefed the impacted employees and business area stakeholders (e.g., I.T. & Security staff) of the benefits of the C&A and potential time line when it shall be executed?

ANSWER: YES

10.   Will the government provide a dedicated federal staff who will facilitate and coordinate the extensive interviews that need to occur in order to meet the deliverables/time lines stated in the SOW?

ANSWER: YES

11.   Does the government anticipate any internal road-blocks, or red-tapes, or political food-chains that may need to be managed/mitigated in advance of our team arriving? 

ANSWER: NO

12.    Have the WAN and PSS been certified and accredited, if yes, when?

ANSWER: YES; November, 2007

13.     Is there an incumbent that has been performing the Risk Assessments and ST&E's for ADF, if yes, who?  Is the incumbent eligible to bid on this effort?

ANSWER: Not Applicable

14.    When was the last time a Contingency Plan test was conducted on either the WAN or PSS?

ANSWER: Not Applicable

15.    Where are the production systems located for both the WAN and PSS?  Are they at the ADF headquarters or at a remote data center?

ANSWER: Washington, DC

16.    What are your resume requirements for proposed key personnel?

ANSWER:  Qualified to do work

17.    Can you provide a network topology of the USADF WAN? 

ANSWER:  NO

18.    Can you provide a specific inventory (manufacture and quantities) USADF WAN devices?

ANSWER:  NO

19.   Can you provide a network topology of the USADF PSS?

ANSWER:  The network topology consists of 10+) Dell Servers, (4-6) CISCO Routers/Switches, Tipping Point 50, PBX phone system

20.    Can you provide a specific inventory (manufacture and quantities) USADF PSS devices?

ANSWER:  See Question 19

21.   Are these in scope:
Application (ADF Web code analysis)

ANSWER:  NO

WAN (MPLS/ATM/Frame Relay: core-to-core/end-to-core)?
ANSWER YES - MPLS (but since we are disconnecting overseas sites we are technically just a LAN)

Telecomm (VoIP, Modem, PBX)
ANSWER:  NO

Virtual (VMWare, VDI)
ANSWER:  NO

Wireless (Wi-Fi, WiMAX)
ANSWER:  NO

Social Engineering (on-site entry for DC, phone based
info/password extraction)

ANSWER:  NO

22.    How many nodes/IPs are in scope:
     Internal

ANSWER: Less than 200 including Workstations
     External

ANSWER: Less than 10

23.   Is Password Cracking in scope?

ANSWER: No

Risk Assessment

24.  Has the ADF carried out detailed Risk Assessments before, or is this the first one?

ANSWER: YES

25.  Has the ADF carried out a full scope Information Security & Vulnerability Assessment (a.k.a. C&A) before?

ANSWER: YES

26.    Does the ADF have an existing and detailed Information Security Policy & Program in place or will the final report from this C&A effort be used as a baseline to develop one?

ANSWER:  The report from the C&A Effort will be used to develop Security Policy

27.   Where does the CSO (or CISO) reside in the ADF Org Chart, relative to I.T. department vs Senior/Executive Management team?

ANSWER: Not Applicable

28.  There is a reference to the Nuclear Regulatory Commission Risk Assessment Report template.  Is this template available for review and analysis to help gage the level of effort?

ANSWER: Not Applicable

29.   Does the African Development Foundation use any specific tool for Certification and Accreditation (C&A) for an example, Cyber Assessment and Management (CSAM) Certification and Accreditation Web Tool (currently licensed under Department of Justice to different agencies). Or any other tool for C&A activities?

ANSWER: NO

30.   As per FISMA guidelines, does The African Development Foundation periodically perform Vulnerabilities Assessment and Penetration of the Networks by its IT department or Third party vendor? If not, do you anticipate that contractor hired for this project would do such Vulnerabilities Assessments and Penetration Test for systems and Networks in scope?

ANSWER: YES

31.    When was the last vulnerability scan performed on the WAN and PSS and what type of scans were performed (i.e. network, application, etc.)?

ANSWER: December, 2009

32.    Will the government provide the automated testing tools to the contractor as GFE?

ANSWER: No Government Furnished Equipment will be provided

33.    Does ADF have a complete and up-to-date System Security Plan, Contingency Plan, Privacy Threshold Analysis and, if required, a Privacy Impact Analysis?

ANSWER: NO

34.    What was the last FIPS 199 rating for both systems?

ANSWER: LOW

35.    Are there existing system POA&Ms?

ANSWER: YES

36.    Does ADF operate a test system for the WAN and PSS?

ANSWER: YES

37.    What Specific applications are operating on the WAN?

ANSWER: Grants Management Database Application

38.    What is the function of the"ADF Web Software Application" that operates on the PSS?

ANSWER: The ADF Web Software application is the consolidation of the Grants Management Database Application system and ProReq

 39.    Does ADF perform Continuous Monitoring on the WAN and PSS?

ANSWER: YES

40.    Does the WAN support Voice Over Internet Protocol (VOIP)?

ANSWER: YES

 
41.    What type of Authentication technology is used with both the WAN and PSS?

ANSWER: Kerberos and NTLMv2 

42.    Is the encryption technology you employ FIPS 140-2 compliant?

ANSWER: Encryption  isn't implemented inside the LAN, scans will not cross outside of USADF logical borders

43.    Is Personally Identifiable Information (PII) processed by either the PSS or WAN?

ANSWER: YES
 
44.    What version of the Windows Operating System are you using?

ANSWER:  Windows XP, Windows 7, Server 2003, Server 2008, Server 2008-R2 

45.    Are your workstations Federal Desktop Core Configuration (FDCC) compliant?

ANSWER:  YES 

46.    Does the ADF Web Software Application use mobile code?

ANSWER: Not Applicable

Security Testing and Evaluation

47.    In the ST&E task, the solicitation references NIST SP 800-53A dated July 2008 instead of NIST SP 800-53A, Rev 1 dated July 2010, was this intentional?

ANSWER: NO

48.    Referenced is NIST 800-53A (July 2008).  Should this be NIST 800-53A (July 2010)?

ANSWER: YES

49.    Is the contractor required to develop an ST&E Plan and a SAR?

ANSWER: YES 

50.    As part of this effort, what documentation will be available to the contractor from the last accreditation/certification on both of these systems?

        ANSWER: YES

51.    What is the page limit on the solicitation response?

ANSWER: See structure format guidelines in RFF

Summary of Deliverables

52.   The Time frames section of the solicitation indicates a Contract Award Date of 10/8/2010 and beginning work on 10/13/2010. The Summary of Deliverables requires a General Work Plan and Schedule 2 weeks after contract award (10/27/2010).  Using this timeline the awarded contractor would have less than 1 week to provide draft reports to both tasks for the two systems.  Is this schedule for performing both the Risk Assessment and the ST&E tasks? The timeline for the draft reports seems overly aggressive and unrealistic.  Will changes to these dates be considered?  Is the Nov 30, 2010 driven by an expiring ATO?

ANSWER: Submit best estimated timeframe in proposal

53.    In response to the bidder's question that is due on the 15th, could you please let me know if you want your correspondence via e-mail or official mail?

ANSWER: Email

54.    Are all the dates below still accurate?

9/15/10 Bidders Questions Due
9/21/10 ADF posted answers
9/27/10 Final Bids Due
10/1/10 Evaluations completed
10/8/10 Contract Awarded
10/13/10 Contract Work Begins 

ANSWER: New Schedule

            09/15/10 Bidders Questions Due
            09/28/10 ADF posted answers
           10/05/10 Final Bids Due
           10/08/10 Evaluations completed
           10/15/10 Contract Awarded
           10/20/10 Contract Work Begins