Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
This proposal contains information and data which are privileged, confidential, and/or proprietary to First Info Tech. This information and data is commercially sensitive and/or financial in nature, is not made available for public review, and is submitted to the governmen t on a confidential
basis only for purposes of review and evaluation in connection with First Info Tech's response to the specific government request denoted herein. No other use of the information and data contained herein is permitted without the express written permission of First Info T ech. Under no condition should the information contained herein be provided in any manner whatsoever to any third party without first receiving express written permission.
First Information
Technology Services, Inc.
First Info Tech
CyberSecurity Support Services
Keith T. Paige, COO 2461 South Clark Street, Suite 660
Arlington VA 22202
703-872-0507 (Office), 202-425-8622 (Mobile) Date Submitted: August 26, 2015
2
Table of Contents 1.0 INTRODUCTION ...................................................................................................................3 2.0 CONTACT INFORMATION ................................................................................................4
3.0 CYBER-SECURITY BACKGROUND .................................................................................4 4.0 CYBER-SECURITY REFERENCES....................................................................................5
4.1 DHS ISO SUPPORT................................................................................................................6 4.2 S&T ISSO SUPPORT..............................................................................................................8 4.3 FISH AND WILDLIFE SERVICES ......................................................................................9
4.4 MICROSOFT...........................................................................................................................10 5.0 RESPONSE TO SECTION IV...............................................................................................12
5.1 PRE-INCIDENT SERVICES .................................................................................................12 5.2 POST-INCIDENT SERVICES...............................................................................................12
3
1.0 Introduction
First Information Technology Services, Inc. (First Info Tech) is a minority-owned, veteran-owned engineering service consulting company based in Arlington, Virginia. First Info Tech has experiences and strengths in the following areas:
Program Management and Project Management Support; Security Planning; Assessment; Requirements; Design; Implementation; Policy/Procedures; Documentation; Contingency Planning; Security Testing; Assessment & Accreditation (A&A); FISMA Support; Security Training; Penetration Testing; Incident Response; and Engineering/Architecture.
Table 1: First Info Tech Security Experience Matrix
Secu
rity
Pla
ns
Assessm
en
t
Req
uir
em
en
ts
Desig
n
Imp
lem
en
tation
Po
licy /
Pro
ced
ure
s
Do
cu
men
tati
on
Co
nti
ng
en
cy
Pla
nn
ing
Secu
rity
Testi
ng
Cert
ific
ati
on
&
Au
tho
rizati
on
FIS
MA
Su
pp
ort
Secu
rity
Tra
inin
g
Pen
etr
ati
on
Testi
ng
Incid
en
t
Resp
on
se
En
gin
eeri
ng
/
Arc
hit
ectu
re
DHS ● ● ● ● ● ● ● ● ● ● ● ● ● ●
USSS ● ● ● ● ● ● ● ● ● ●
DOI ● ● ● ● ● ● ● ● ● ● ● ●
DOT ● ● ● ● ● ● ●
USDA ● ● ●
FEMA ● ● ● ● ● ●
EPA ● ● ● ●
IRS ● ● ● ● ● ● ● ● ● ●
FMS ● ● ● ● ● ● ● ● ● ●
DOE ● ● ●
County Gov’t ● ● ● ● ● ● ●
District of Columbia
● ● ●
4
TSA ● ● ●
2.0 Contact Information
Facility Clearance and CAGE code: Top Secret facility clearance. CAGE code: 1QC93 Socio Economic identifiers (e.g. Small Business, Veteran Owned, or other certification)
First Info Tech is a: Small Business and Veteran Owned
Point of Contact (POC): Keith T Paige
E-mail: [email protected] Phone: 703 872-0507 Mail: First Information Technology Services, Inc.
2461South Clark Street Suite 660 Arlington, VA 22202
DUNS Number: 12-549-3416
3.0 Cyber-Security Background
First Info Tech has provided IT Security Services to various federal government Departments and agencies continuously since January 2000.
First Info Tech has had numerous engagements providing IA support throughout the federal government. Table 2 lists contracts where First Info Tech has performed IA support services within the last 18 months.
Table 2. First Info Tech IA Contracts
Contract Description Total Value Client
GS-35F-0374L
(completed)
U.S. Department of Homeland Security (DHS) ISO
FISMA Compliance - First Info Tech has performed a
wide variety of security activities in support of the
DHS Chief Information Security Officer (CISO) and
the DHS security program. First Info Tech works hand-
in-hand with DHS to mature the office into an
established Information Technology (IT) governance
program.
$6.5 million DHS CISO
GS-35F-0364X
(Ongoing)
U.S. Department of Homeland Security (DHS) ISO
FISMA Compliance- First Info Tech has performed a
wide variety of security activities in support of the
DHS Chief Information Security Officer (CISO) and
the DHS security program. First Info Tech works hand-
in-hand with DHS to mature the office into an
established Information Technology (IT) governance
program.
$7.8 million DHS CISO
5
GS-35F-0364X
(Ongoing)
U.S. Department of Homeland Security (DHS) Science
& Technology Directorate –First Info Tech provides
Information Systems Security Officer (ISSO) support
on a T&M basis for classified and unclassified systems.
$3.3 million DHS CISO
Ongoing Security Assessment, Office 365 - Cloud Computing
Services - We provide security support to Microsoft
Online Services (MSO) Risk Management Group.First
Info Tech provides continuous monitoring for the
Office 365 Multi-Tenant, Office 365 for Government
and Office 365 with ITAR Support accreditations.
$8,000,000 Microsoft
Corporation
98210AA015
(Completed)
U.S. Department of Interior, Fish & Wildlife
Service –First info Tech provided a wide range of
support to DOI’s Fish and Wildlife Service (FWS), to
include assessing the maturity of the FWS information
security program and developing recommendations for
improvement. Based on the results of this assessment,
FITS developed a maturity roadmap for FWS to
provide a path from the existing program to a more
compliant and mature future that would maximize
value and minimize effort.
$2,000,000 DOI FWS
Subcontractor to
Engility
U.S. Secret Service (USSS) IT Security Support-
First Info Tech provides ISSO support on a T&M basis
for unclassified systems as a Subcontractor.
$735,492 U.S. Secret
Service
Subcontractor to
Summit
Technologies
Cybersecurity Certification and Accreditation
Support – First Info Tech provides cybersecurity
engineers to Federal Communications Commission
supporting a variety of security activities. Responsible
for working to mature the office into an established IT
governance program.
$5,477,126.82 Federal
Communications
Commission
4.0 Cyber-Security References
First Info Tech has selected four past performances that accurately demonstrate our ability to successfully perform Cybersecurity Support Services.
Throughout all four past performances, First Info Tech demonstrates our experience serving as
trusted advisors to our customers. Collectively, they display our experience at DHS HQ, throughout DHS Components, and across Federal Agencies and the commercial sector. The past
performances serve as an accurate predictor of our ability to succeed. The below matrix indicates that our past performances cover the primary functions generally supported in IT security tasks.
Capabilities and Experience across First Info Tech’s Past Performances
Past
Performance
Project
Management
Information
Security
Program
Management
Information
Assurance
Continuous
Monitoring
Information
Security
Governance
Cybersecurity
Management Communications
Security
ISO
S&T
FWS
6
Microsoft
4.1 DHS ISO Support
DHS Office of the Chief Information Officer (OCIO) ISO Compliance Support
Contract Type and Number (or Identifier) Task Order HSHQDC-13-F-00177
Name and Address of Company/Agency Department of Homeland Security
Office of Procurement Operations
Information Tech. Acquisition Ctr.
245 Murray Lane, SW, #0115
Washington DC 20528-0115
Contact Person Ken Pearlstein
Telephone and Fax Number of Contact Person (202) 306-8987 (blackberry)
E-mail Address of Contact Person [email protected]
Identify if you were the Prime or Subcontractor Prime
Period of Performance (e.g. start date and
completion date)
9/2013 – 5/2016 (newly awarded contract
Supported these same activities on additional contracts since
2005
Contract Value $7.82M
Description of Work (Types of work performed,
problems encountered and their resolutions, any
subcontractors or partnerships…)
First Info Tech (FITS) has performed a wide variety of
security activities in support of the DHS Chief Information
Security Officer (CISO) and the DHS security program since
2003 both as a prime contractor and as a subcontractor.
During this time, FITS has worked hand-in-hand with DHS to
mature the office into the established enterprise-wide
Information Technology (IT) governance program that it is
today. As evidence of their value to the DHS security
program, the CISO has just awarded FITS a contract to
continue to provide project management and compliance
support for the next three years.
FITS has provided, and will continue to provide, a wide
variety of services to the Director of Compliance to keep the
program running efficiently, including such things as:
Developed a methodology and conducted in-depth
reviews of the actual security posture of DHS
systems. These “Deep Dive” reviews serve as the
standard for conducting Security Test and
Evaluations (ST&Es) at DHS. [Security Validation
and Testing]
Developed methodology and conducted Critical
Control Reviews (CCRs) of more than 250 DHS
systems. [Information Assurance Governance
(IAG), Security Validation and Testing, Continuous
Monitoring]
Led efforts to develop C&A document templates
and review checklists to improve the quality and
7
consistency of these key documents [Security
Authorization, Information Assurance Governance
(IAG)]
Conducted document reviews as part of the C&A
validation process [Security Authorization,
Information Assurance Governance (IAG)]
Authored the DHS C&A Methodology and Guide
and the DHS Information System Security Officer
(ISSO) Guide. [Security Authorization, Information
Assurance Governance (IAG)]
Developed and maintained the DHS Plan of Action
and Milestones (POA&M) process and Guide
[Information Assurance Governance (IAG), Security
Authorization]
Provided POA&M monitoring and remediation
support to track program and system vulnerabilities
across all Components within the Department to
help assess overall risk posture [Security
Authorization, Information Assurance Governance
(IAG) Continuous Monitoring]
Helped develop metrics to assess the effectiveness
of the DHS Security Program and to support FISMA
reporting; [Information Assurance Governance
(IAG)]
Supported development and production of a DHS
FISMA scorecard [Information Assurance
Governance (IAG)]
Provided ISSO support to six systems within DHS
and components, including financial and asset
management systems. ISSO duties included
implementing security controls, conducting
continuous monitoring activities (e.g., audit log
reviews) and responding to suspected security
incidents [Continuous Monitoring]
Developed training materials and provided training
to DHS Components on FISMA requirements, the
DHS FISMA scorecard, C&A process, POA&M
process, C&A document preparation and review
procedures, the use of automated tools that support
these processes, and how to conduct NIST SP 800-
53 annual-assessments. [Security Authorization,
Information Assurance Governance (IAG)]
Presented briefings to audiences of more than 100
security professionals on various security topics at
the annual DHS and USCG security conferences
from 2005 through 2009 [Security Authorization,
Information Assurance Governance (IAG)]
Served as subject matter experts in support of
developing formal training courses for DHS
personnel with significant security responsibilities.
[Security Authorization, Information Assurance
Governance (IAG)]
8
Supported DHS IT security audit management
efforts during all phases of the audit cycle to include
helping Components prepare for audits, supporting
Components during audits, and developing audit
remediation strategies for GAO, OIG, financial and
FISMA audit finding.
4.2 S&T ISSO Support
S&T ISSO Support
Contract Type and Number (or Identifier) Contract GS-35F-0364X
Task Order HSHQDC-12-F-00046, Time & Materials
Name and Address of Company/Agency Department of Homeland Security - Science and Technology
Directorate (S&T)
1120 Vermont Ave , NW
Washington DC 20005
Contact Person Karen Beirne, GSCL
Compliance Officer
Telephone and Fax Number of Contact Person (202) 254-2421 and (202) 254-5671
E-mail Address of Contact Person [email protected]
Identify if you were the Prime or Subcontractor Prime
Period of Performance (e.g. start date and
completion date)
June 1, 2013 - present
Contract Value $3,224,522
Description of Work (Types of work performed,
problems encountered and their resolutions, any
subcontractors or partnerships…)
First Info Tech provides ISSO support on a T&M basis for
classified and unclassified systems at DHS S&T Directorate.
First Info Tech responsibilities under this task are mapped to
the RFP SOW and include:
Provide overall Project Management to ensure
performance is within budget and schedule [Program
Management Support, Security Program
Management and Integration Support] ;
Work with IT Program Managers system
developers, technical staff and business stakeholders
to ensure that assigned systems are developed,
operated, used, maintained, and disposed of in
accordance with DHS security policies and best
practices [Secure System/Software Development];
Ensure that systems are accredited based on NIST or
DIACAP guidance; prepare required Security
Authorization documentation including Security
Plans and POA&Ms and related documents (e.g.,
ISA) and assist with preparation of Security
Assessment Reports [Security Authorization,
Interconnection Security Agreements];
9
Ensure audit trails are reviewed periodically in
accordance with departmental policy [Continuous
Monitoring];
Initiate protective or corrective measures if a
security problem is discovered;
Determine when time-sensitive system patches must
be quickly implemented to protect systems
[Continuous Monitoring];
Evaluate known vulnerabilities to ascertain if
additional safeguards are needed [Risk Management];
Perform complete security analysis and compliance
review of all new IT Initiatives to include but not
limited to information systems, hardware, and
software [Secure System/Software Development];
Perform duties as the security specialist for secure
rooms/SCIFs which have the possibility to process
information up to the TS/SCI level (where
applicable);
Perform Local Registration Authority duties for their
respective sites [PKI Service Desk Support];
Conduct IT security, awareness, and privacy training
for employees as needed [Information Assurance
Governance];
Provide IT security subject matter expertise on all
projects, purchases, and procedures to ensure
acceptance from the CISO;
Provide on-site security vulnerability
testing/scanning for all current and future systems
[Security Validation and Testing]; and,
Perform all IT security tasks that are directed and
required by the CISO.
4.3 Fish and Wildlife Services
U.S. Department of Interior, Fish and Wildlife Service - IT Security Support
Contract Type and Number (or Identifier) Contract 98210AA015 F12PD00428, Time & Materials
Name and Address of Company/Agency U.S. Department of Interior, Fish and Wildlife Service
Contact Person Jeff Monroe
Information Security Compliance Manager
Telephone and Fax Number of Contact Person (703) 358-2403 and (703) 358-2251
E-mail Address of Contact Person [email protected]
Identify if you were the Prime or Subcontractor Prime
Period of Performance (e.g. start date and October 2010 - Present
10
completion date)
Contract Value $2,000,000
Description of Work (Types of work performed,
problems encountered and their resolutions, any
subcontractors or partnerships…)
FITS provided a wide range of support to DOI’s Fish and
Wildlife Service (FWS), to include assessing the maturity of
the FWS information security program and developing
recommendations for improvement. Based on the results of
this assessment, FITS developed a maturity roadmap for
FWS to provide a path from the exis ting program to a more
compliant and mature future that would maximize value and
minimize effort.
FITS began implementing the roadmap by creating a series of
policy handbooks for all FWS roles with information security
responsibilities, such as Information System Security Officer,
System Administrator, and Security Training Manager. Each
handbook details and defines specific, role-based information
security policies based on NIST SP 800-53 Rev. 3 as well as
program specific policies unique to FWS and includes imple-
mentation examples and guidance for how to effectively meet
policies. To date, we have developed a series of 17 hand-
books that helped FWS mature to CMMI/PRISMA level 2.
Additionally, FITS was responsible for conducting Annual
FISMA Assessments for 36 systems in accordance with
FISMA requirements and NIST SP 800-37 Rev. 1. Activities
included:
Scheduling all assessment activities with system
personnel
Creating Security Assessment Plans including
Requirements Traceability Matrices [Security
Validation and Testing]
Completing assessment activities such as interviews,
examinations, and tests of “focused” depth consistent
with NIST SP 800-53A Rev. 1, and completing
Vulnerability Scan Analyses [Continuous Monitoring,
Security Authorization, & Risk Management]
Documenting assessment results for each system in a
Security Assessment Report
Writing detailed Plans of Action and Milestones for
each identified weakness [Continuous Monitoring &
Risk Management]
4.4 Microsoft
Microsoft Cloud Security Services
Contract Type and Number (or Identifier) MMVA Number: 1005565
Name and Address of Company/Agency Microsoft
15010 NE 36th Street, Redmond, WA 98052
Contact Person Patricia Anderson, Senior Program Manager Lead, Office
365 Compliance Services
11
Telephone and Fax Number of Contact Person (425) 538-6568 ext. 86568 and Fax: n/a
E-mail Address of Contact Person [email protected]
Identify if you were the Prime or Subcontractor Prime
Period of Performance (e.g. start date and
completion date)
9/2011 - Present
Contract Value $3,003,860
Description of Work (Types of work performed,
problems encountered and their resolutions, any
subcontractors or partnerships…)
FITS provided information security support for multiple
Microsoft Cloud Service Offerings, including the Office 365
Multi-Tenant, Office 365 for Government and Office 365
with ITAR Support accreditations. We worked with
Microsoft to create Security Plans for their federal cloud
offerings, institute DHS and Federally accepted information
security practices for disaster recovery, incident response,
access control, and all security controls within NIST SP 800-
53 and modified within the FedRAMP security baseline.
Services provided include:
A&A Documentation Review - FITS engineers used
Document Review validation checklists to determine if
the current A&A documents met requirements and
standards using checklists developed originally for DHS
and modified for Microsoft.
System Review - FITS engineers developed a Security
Assessment Plan (SAP) based on a NIST 800-53a
compliant/ FedRAMP Control Tailoring Workbook.
The test plan followed FedRAMP, and used multiple
security tools such as NESSUS.
Education – We worked with Microsoft system
personnel to educate on test procedures and findings to
improve overall understanding of Federal information
security best practices.
In addition to FedRAMP and FISMA compliance with A&A,
we also provided Continuous Monitoring services such as:
Monitoring changes to the environment for compliance
impact
Reviewing requests for compliance exceptions
(temporary deviations) or exemptions (permanent
deviations) and recommending approval/rejection to
Microsoft personnel
Documenting NIST 800-30 Risk Assessments as needed
to support change approval or POAM resolution dates
Recommending/implementing enhancements to
Microsoft’s existing governance processes
Relevance: We understand the commercial market as well as
the Federal environment. We have robust experience with
securing emerging technologies including Cloud Services.
12
5.0 Response to Section IV
Below, we have indicated which of the listed services we are most capable of supporting:
5.1 Pre-Incident Services
Incident Response Agreements – Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident.
Assessments – Evaluate a State Agency’s current state of information security and cyber-security incident response capability.
Preparation – Provide guidance on requirements and best practices.
Developing Cyber-Security Incident Response Plans – Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.
Training – Provide training for State Agency staff from basic user awareness to technical education.
5.2 Post-Incident Services
Investigation/Clean-up – Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels.
Incident response – Provide guidance or technical staff to assist State Agencies in response to an incident.
Mitigation Plans – Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities.