This proposal contains information and data which are privileged, confidential, and/or proprietary to First Info Tech. This information and data is commercially sensitive and/or financial in nature, is not made available for public review, and is submitted to the governmen t on a confidential

basis only for purposes of review and evaluation in connection with First Info Tech's response to the specific government request denoted herein. No other use of the information and data contained herein is permitted without the express written permission of First Info T ech. Under no condition should the information contained herein be provided in any manner whatsoever to any third party without first receiving express written permission.

First Information

Technology Services, Inc.

First Info Tech

CyberSecurity Support Services

Keith T. Paige, COO 2461 South Clark Street, Suite 660

Arlington VA 22202

703-872-0507 (Office), 202-425-8622 (Mobile) Date Submitted: August 26, 2015

2

Table of Contents 1.0 INTRODUCTION ...................................................................................................................3 2.0 CONTACT INFORMATION ................................................................................................4

3.0 CYBER-SECURITY BACKGROUND .................................................................................4 4.0 CYBER-SECURITY REFERENCES....................................................................................5

4.1 DHS ISO SUPPORT................................................................................................................6 4.2 S&T ISSO SUPPORT..............................................................................................................8 4.3 FISH AND WILDLIFE SERVICES ......................................................................................9

4.4 MICROSOFT...........................................................................................................................10 5.0 RESPONSE TO SECTION IV...............................................................................................12

5.1 PRE-INCIDENT SERVICES .................................................................................................12 5.2 POST-INCIDENT SERVICES...............................................................................................12

3

1.0 Introduction

First Information Technology Services, Inc. (First Info Tech) is a minority-owned, veteran-owned engineering service consulting company based in Arlington, Virginia. First Info Tech has experiences and strengths in the following areas:

Program Management and Project Management Support; Security Planning; Assessment; Requirements; Design; Implementation; Policy/Procedures; Documentation; Contingency Planning; Security Testing; Assessment & Accreditation (A&A); FISMA Support; Security Training; Penetration Testing; Incident Response; and Engineering/Architecture.

Table 1: First Info Tech Security Experience Matrix

Secu

rity

Pla

ns

Assessm

en

t

Req

uir

em

en

ts

Desig

n

Imp

lem

en

tation

Po

licy /

Pro

ced

ure

s

Do

cu

men

tati

on

Co

nti

ng

en

cy

Pla

nn

ing

Secu

rity

Testi

ng

Cert

ific

ati

on

&

Au

tho

rizati

on

FIS

MA

Su

pp

ort

Secu

rity

Tra

inin

g

Pen

etr

ati

on

Testi

ng

Incid

en

t

Resp

on

se

En

gin

eeri

ng

/

Arc

hit

ectu

re

DHS ● ● ● ● ● ● ● ● ● ● ● ● ● ●

USSS ● ● ● ● ● ● ● ● ● ●

DOI ● ● ● ● ● ● ● ● ● ● ● ●

DOT ● ● ● ● ● ● ●

USDA ● ● ●

FEMA ● ● ● ● ● ●

EPA ● ● ● ●

IRS ● ● ● ● ● ● ● ● ● ●

FMS ● ● ● ● ● ● ● ● ● ●

DOE ● ● ●

County Gov’t ● ● ● ● ● ● ●

District of Columbia

● ● ●

4

TSA ● ● ●

2.0 Contact Information

Facility Clearance and CAGE code: Top Secret facility clearance. CAGE code: 1QC93 Socio Economic identifiers (e.g. Small Business, Veteran Owned, or other certification)

First Info Tech is a: Small Business and Veteran Owned

Point of Contact (POC): Keith T Paige

E-mail: ktpaige@firstinfotech.com Phone: 703 872-0507 Mail: First Information Technology Services, Inc.

2461South Clark Street Suite 660 Arlington, VA 22202

DUNS Number: 12-549-3416

3.0 Cyber-Security Background

First Info Tech has provided IT Security Services to various federal government Departments and agencies continuously since January 2000.

First Info Tech has had numerous engagements providing IA support throughout the federal government. Table 2 lists contracts where First Info Tech has performed IA support services within the last 18 months.

Table 2. First Info Tech IA Contracts

Contract Description Total Value Client

GS-35F-0374L

(completed)

U.S. Department of Homeland Security (DHS) ISO

FISMA Compliance - First Info Tech has performed a

wide variety of security activities in support of the

DHS Chief Information Security Officer (CISO) and

the DHS security program. First Info Tech works hand-

in-hand with DHS to mature the office into an

established Information Technology (IT) governance

program.

$6.5 million DHS CISO

GS-35F-0364X

(Ongoing)

U.S. Department of Homeland Security (DHS) ISO

FISMA Compliance- First Info Tech has performed a

wide variety of security activities in support of the

DHS Chief Information Security Officer (CISO) and

the DHS security program. First Info Tech works hand-

in-hand with DHS to mature the office into an

established Information Technology (IT) governance

program.

$7.8 million DHS CISO

5

GS-35F-0364X

(Ongoing)

U.S. Department of Homeland Security (DHS) Science

& Technology Directorate –First Info Tech provides

Information Systems Security Officer (ISSO) support

on a T&M basis for classified and unclassified systems.

$3.3 million DHS CISO

Ongoing Security Assessment, Office 365 - Cloud Computing

Services - We provide security support to Microsoft

Online Services (MSO) Risk Management Group.First

Info Tech provides continuous monitoring for the

Office 365 Multi-Tenant, Office 365 for Government

and Office 365 with ITAR Support accreditations.

$8,000,000 Microsoft

Corporation

98210AA015

(Completed)

U.S. Department of Interior, Fish & Wildlife

Service –First info Tech provided a wide range of

support to DOI’s Fish and Wildlife Service (FWS), to

include assessing the maturity of the FWS information

security program and developing recommendations for

improvement. Based on the results of this assessment,

FITS developed a maturity roadmap for FWS to

provide a path from the existing program to a more

compliant and mature future that would maximize

value and minimize effort.

$2,000,000 DOI FWS

Subcontractor to

Engility

U.S. Secret Service (USSS) IT Security Support-

First Info Tech provides ISSO support on a T&M basis

for unclassified systems as a Subcontractor.

$735,492 U.S. Secret

Service

Subcontractor to

Summit

Technologies

Cybersecurity Certification and Accreditation

Support – First Info Tech provides cybersecurity

engineers to Federal Communications Commission

supporting a variety of security activities. Responsible

for working to mature the office into an established IT

governance program.

$5,477,126.82 Federal

Communications

Commission

4.0 Cyber-Security References

First Info Tech has selected four past performances that accurately demonstrate our ability to successfully perform Cybersecurity Support Services.

Throughout all four past performances, First Info Tech demonstrates our experience serving as

trusted advisors to our customers. Collectively, they display our experience at DHS HQ, throughout DHS Components, and across Federal Agencies and the commercial sector. The past

performances serve as an accurate predictor of our ability to succeed. The below matrix indicates that our past performances cover the primary functions generally supported in IT security tasks.

Capabilities and Experience across First Info Tech’s Past Performances

Past

Performance

Project

Management

Information

Security

Program

Management

Information

Assurance

Continuous

Monitoring

Information

Security

Governance

Cybersecurity

Management Communications

Security

ISO

S&T

FWS

6

Microsoft

4.1 DHS ISO Support

DHS Office of the Chief Information Officer (OCIO) ISO Compliance Support

Contract Type and Number (or Identifier) Task Order HSHQDC-13-F-00177

Name and Address of Company/Agency Department of Homeland Security

Office of Procurement Operations

Information Tech. Acquisition Ctr.

245 Murray Lane, SW, #0115

Washington DC 20528-0115

Contact Person Ken Pearlstein

Telephone and Fax Number of Contact Person (202) 306-8987 (blackberry)

E-mail Address of Contact Person keira.buggs@hq.dhs.gov

Identify if you were the Prime or Subcontractor Prime

Period of Performance (e.g. start date and

completion date)

9/2013 – 5/2016 (newly awarded contract

Supported these same activities on additional contracts since

2005

Contract Value $7.82M

Description of Work (Types of work performed,

problems encountered and their resolutions, any

subcontractors or partnerships…)

First Info Tech (FITS) has performed a wide variety of

security activities in support of the DHS Chief Information

Security Officer (CISO) and the DHS security program since

2003 both as a prime contractor and as a subcontractor.

During this time, FITS has worked hand-in-hand with DHS to

mature the office into the established enterprise-wide

Information Technology (IT) governance program that it is

today. As evidence of their value to the DHS security

program, the CISO has just awarded FITS a contract to

continue to provide project management and compliance

support for the next three years.

FITS has provided, and will continue to provide, a wide

variety of services to the Director of Compliance to keep the

program running efficiently, including such things as:

Developed a methodology and conducted in-depth

reviews of the actual security posture of DHS

systems. These “Deep Dive” reviews serve as the

standard for conducting Security Test and

Evaluations (ST&Es) at DHS. [Security Validation

and Testing]

Developed methodology and conducted Critical

Control Reviews (CCRs) of more than 250 DHS

systems. [Information Assurance Governance

(IAG), Security Validation and Testing, Continuous

Monitoring]

Led efforts to develop C&A document templates

and review checklists to improve the quality and

7

consistency of these key documents [Security

Authorization, Information Assurance Governance

(IAG)]

Conducted document reviews as part of the C&A

validation process [Security Authorization,

Information Assurance Governance (IAG)]

Authored the DHS C&A Methodology and Guide

and the DHS Information System Security Officer

(ISSO) Guide. [Security Authorization, Information

Assurance Governance (IAG)]

Developed and maintained the DHS Plan of Action

and Milestones (POA&M) process and Guide

[Information Assurance Governance (IAG), Security

Authorization]

Provided POA&M monitoring and remediation

support to track program and system vulnerabilities

across all Components within the Department to

help assess overall risk posture [Security

Authorization, Information Assurance Governance

(IAG) Continuous Monitoring]

Helped develop metrics to assess the effectiveness

of the DHS Security Program and to support FISMA

reporting; [Information Assurance Governance

(IAG)]

Supported development and production of a DHS

FISMA scorecard [Information Assurance

Governance (IAG)]

Provided ISSO support to six systems within DHS

and components, including financial and asset

management systems. ISSO duties included

implementing security controls, conducting

continuous monitoring activities (e.g., audit log

reviews) and responding to suspected security

incidents [Continuous Monitoring]

Developed training materials and provided training

to DHS Components on FISMA requirements, the

DHS FISMA scorecard, C&A process, POA&M

process, C&A document preparation and review

procedures, the use of automated tools that support

these processes, and how to conduct NIST SP 800-

53 annual-assessments. [Security Authorization,

Information Assurance Governance (IAG)]

Presented briefings to audiences of more than 100

security professionals on various security topics at

the annual DHS and USCG security conferences

from 2005 through 2009 [Security Authorization,

Information Assurance Governance (IAG)]

Served as subject matter experts in support of

developing formal training courses for DHS

personnel with significant security responsibilities.

[Security Authorization, Information Assurance

Governance (IAG)]

8

Supported DHS IT security audit management

efforts during all phases of the audit cycle to include

helping Components prepare for audits, supporting

Components during audits, and developing audit

remediation strategies for GAO, OIG, financial and

FISMA audit finding.

4.2 S&T ISSO Support

S&T ISSO Support

Contract Type and Number (or Identifier) Contract GS-35F-0364X

Task Order HSHQDC-12-F-00046, Time & Materials

Name and Address of Company/Agency Department of Homeland Security - Science and Technology

Directorate (S&T)

1120 Vermont Ave , NW

Washington DC 20005

Contact Person Karen Beirne, GSCL

Compliance Officer

Telephone and Fax Number of Contact Person (202) 254-2421 and (202) 254-5671

E-mail Address of Contact Person Karen.beirne@hq.dhs.gov

Identify if you were the Prime or Subcontractor Prime

Period of Performance (e.g. start date and

completion date)

June 1, 2013 - present

Contract Value $3,224,522

Description of Work (Types of work performed,

problems encountered and their resolutions, any

subcontractors or partnerships…)

First Info Tech provides ISSO support on a T&M basis for

classified and unclassified systems at DHS S&T Directorate.

First Info Tech responsibilities under this task are mapped to

the RFP SOW and include:

Provide overall Project Management to ensure

performance is within budget and schedule [Program

Management Support, Security Program

Management and Integration Support] ;

Work with IT Program Managers system

developers, technical staff and business stakeholders

to ensure that assigned systems are developed,

operated, used, maintained, and disposed of in

accordance with DHS security policies and best

practices [Secure System/Software Development];

Ensure that systems are accredited based on NIST or

DIACAP guidance; prepare required Security

Authorization documentation including Security

Plans and POA&Ms and related documents (e.g.,

ISA) and assist with preparation of Security

Assessment Reports [Security Authorization,

Interconnection Security Agreements];

9

Ensure audit trails are reviewed periodically in

accordance with departmental policy [Continuous

Monitoring];

Initiate protective or corrective measures if a

security problem is discovered;

Determine when time-sensitive system patches must

be quickly implemented to protect systems

[Continuous Monitoring];

Evaluate known vulnerabilities to ascertain if

additional safeguards are needed [Risk Management];

Perform complete security analysis and compliance

review of all new IT Initiatives to include but not

limited to information systems, hardware, and

software [Secure System/Software Development];

Perform duties as the security specialist for secure

rooms/SCIFs which have the possibility to process

information up to the TS/SCI level (where

applicable);

Perform Local Registration Authority duties for their

respective sites [PKI Service Desk Support];

Conduct IT security, awareness, and privacy training

for employees as needed [Information Assurance

Governance];

Provide IT security subject matter expertise on all

projects, purchases, and procedures to ensure

acceptance from the CISO;

Provide on-site security vulnerability

testing/scanning for all current and future systems

[Security Validation and Testing]; and,

Perform all IT security tasks that are directed and

required by the CISO.

4.3 Fish and Wildlife Services

U.S. Department of Interior, Fish and Wildlife Service - IT Security Support

Contract Type and Number (or Identifier) Contract 98210AA015 F12PD00428, Time & Materials

Name and Address of Company/Agency U.S. Department of Interior, Fish and Wildlife Service

Contact Person Jeff Monroe

Information Security Compliance Manager

Telephone and Fax Number of Contact Person (703) 358-2403 and (703) 358-2251

E-mail Address of Contact Person Jeffrey_monroe@fws.gov

Identify if you were the Prime or Subcontractor Prime

Period of Performance (e.g. start date and October 2010 - Present

10

completion date)

Contract Value $2,000,000

Description of Work (Types of work performed,

problems encountered and their resolutions, any

subcontractors or partnerships…)

FITS provided a wide range of support to DOI’s Fish and

Wildlife Service (FWS), to include assessing the maturity of

the FWS information security program and developing

recommendations for improvement. Based on the results of

this assessment, FITS developed a maturity roadmap for

FWS to provide a path from the exis ting program to a more

compliant and mature future that would maximize value and

minimize effort.

FITS began implementing the roadmap by creating a series of

policy handbooks for all FWS roles with information security

responsibilities, such as Information System Security Officer,

System Administrator, and Security Training Manager. Each

handbook details and defines specific, role-based information

security policies based on NIST SP 800-53 Rev. 3 as well as

program specific policies unique to FWS and includes imple-

mentation examples and guidance for how to effectively meet

policies. To date, we have developed a series of 17 hand-

books that helped FWS mature to CMMI/PRISMA level 2.

Additionally, FITS was responsible for conducting Annual

FISMA Assessments for 36 systems in accordance with

FISMA requirements and NIST SP 800-37 Rev. 1. Activities

included:

Scheduling all assessment activities with system

personnel

Creating Security Assessment Plans including

Requirements Traceability Matrices [Security

Validation and Testing]

Completing assessment activities such as interviews,

examinations, and tests of “focused” depth consistent

with NIST SP 800-53A Rev. 1, and completing

Vulnerability Scan Analyses [Continuous Monitoring,

Security Authorization, & Risk Management]

Documenting assessment results for each system in a

Security Assessment Report

Writing detailed Plans of Action and Milestones for

each identified weakness [Continuous Monitoring &

Risk Management]

4.4 Microsoft

Microsoft Cloud Security Services

Contract Type and Number (or Identifier) MMVA Number: 1005565

Name and Address of Company/Agency Microsoft

15010 NE 36th Street, Redmond, WA 98052

Contact Person Patricia Anderson, Senior Program Manager Lead, Office

365 Compliance Services

11

Telephone and Fax Number of Contact Person (425) 538-6568 ext. 86568 and Fax: n/a

E-mail Address of Contact Person patricia@microsoft.com

Identify if you were the Prime or Subcontractor Prime

Period of Performance (e.g. start date and

completion date)

9/2011 - Present

Contract Value $3,003,860

Description of Work (Types of work performed,

problems encountered and their resolutions, any

subcontractors or partnerships…)

FITS provided information security support for multiple

Microsoft Cloud Service Offerings, including the Office 365

Multi-Tenant, Office 365 for Government and Office 365

with ITAR Support accreditations. We worked with

Microsoft to create Security Plans for their federal cloud

offerings, institute DHS and Federally accepted information

security practices for disaster recovery, incident response,

access control, and all security controls within NIST SP 800-

53 and modified within the FedRAMP security baseline.

Services provided include:

A&A Documentation Review - FITS engineers used

Document Review validation checklists to determine if

the current A&A documents met requirements and

standards using checklists developed originally for DHS

and modified for Microsoft.

System Review - FITS engineers developed a Security

Assessment Plan (SAP) based on a NIST 800-53a

compliant/ FedRAMP Control Tailoring Workbook.

The test plan followed FedRAMP, and used multiple

security tools such as NESSUS.

Education – We worked with Microsoft system

personnel to educate on test procedures and findings to

improve overall understanding of Federal information

security best practices.

In addition to FedRAMP and FISMA compliance with A&A,

we also provided Continuous Monitoring services such as:

Monitoring changes to the environment for compliance

impact

Reviewing requests for compliance exceptions

(temporary deviations) or exemptions (permanent

deviations) and recommending approval/rejection to

Microsoft personnel

Documenting NIST 800-30 Risk Assessments as needed

to support change approval or POAM resolution dates

Recommending/implementing enhancements to

Microsoft’s existing governance processes

Relevance: We understand the commercial market as well as

the Federal environment. We have robust experience with

securing emerging technologies including Cloud Services.

12

5.0 Response to Section IV

Below, we have indicated which of the listed services we are most capable of supporting:

5.1 Pre-Incident Services

Incident Response Agreements – Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident.

Assessments – Evaluate a State Agency’s current state of information security and cyber-security incident response capability.

Preparation – Provide guidance on requirements and best practices.

Developing Cyber-Security Incident Response Plans – Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.

Training – Provide training for State Agency staff from basic user awareness to technical education.

5.2 Post-Incident Services

Investigation/Clean-up – Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels.

Incident response – Provide guidance or technical staff to assist State Agencies in response to an incident.

Mitigation Plans – Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities.