Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

REQUEST FOR PROPOSALS (RFP) No. 016-020 INFRASTRUCTURE

advertisement 
REQUEST FOR PROPOSALS (RFP) No. 016-020
RISK AND SECURITY ASSESSMENT OF VRE’S BANDWIDTH AND NETWORK
INFRASTRUCTURE
QUESTIONS AND ANSWERS
Below are questions VRE received as of March 31, 2016 at 11:00 A.M. EST., with responses.
Whenever possible, questions are presented as originally asked. Otherwise, the questions or
inquiries are presented to capture the main thrust or idea.
SECTION A – PURPOSE/BACKGROUND
1.
Can VRE explain why it is soliciting Proposals for a risk and security assessment since
VRE previously advertised a Request for Quotes (RFQ) for this work?
The RFQ was cancelled and this RFP subsequently advertised to allow for evaluation of
other criteria such as, project approach, capability and expertise of the firm, etc., in addition
to price.
2.
Is there anything required in this RFP that was not included in the previous RFQ advertised
in December 2015?
Offerors shall review the RFP for any changes.
3.
Can VRE provide feedback regarding the Quotes received in response to the previous
RFQ?
VRE does not have feedback regarding the previous RFQ.
4.
Can VRE identify the size of its network to include, the number of workstations (desktops
and notebooks), thin clients, routers/firewalls, network switches, load balancers and
gateway devices?
VRE has ninety-six (96) laptops/desktops. The number of routers/firewalls, network
switches, load balancers and gateway devices is identified in Section A.3.
5.
Can VRE provide a full, updated/accurate and detailed network diagram?
This is a deliverable required to be provided by the Contractor.
6.
In reference to Section A.3D., how fast are the interfaces or what are the speeds on the
ASA 5500s and the Sonicwall NSA 220/3600s?
The speeds of the network interfaces are identified in Section A.3D.9.
7.
Section A.3D.4. states that VRE has approximately twenty-two (22) physical servers.
What applications are running on these servers? What are the servers used for (memory,
storage, OS)?
VRE’s physical servers are mostly Dell PowerEdge R710 servers with memory ranging
between eight (8) GB to twelve (12) GB and storage ranging from two hundred and fifty
(250) GB to one (1) TB. The following applications are running on the physical servers:
A. Fare collection system (eight (8) servers) including:
1.
2.
3.
4.
AD – two (2)
Fare collection application – two (2)
Fare collection database – two (2)
Fare collection credit and debit processing – two (2)
B. Backup executive (two (2) servers) including:
1. BE 2012
2. BE 2014
C. Access control (one (1) server)
D. VoIP media (two (2) servers)
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
2
E. Application server (remote desktop and enterprise protection)
F. Active directory (two (2) servers)
G. Disaster recovery (three (3) servers)
H. VM host (three (3) servers)
8.
Section A.3D.6. states that VRE has approximately twenty-four (24) virtual servers. What
applications are running on these virtual servers (memory, storage, OS)? Is VRE looking
to move this into the Cloud?
Virtual machine guests have memory ranging from four (4) GB to sixteen (16) GB and
storage ranging from one hundred and twenty seven (127) GB to two hundred and fifty
four (254) GB. Most of the operating systems running on these guest servers are Windows
2008 R2 and some 2012 R2 servers. The following applications are running on the virtual
machines:
A. SQL (three (3) servers)
B. Domain controller
C. Blackberry enterprise (two (2) servers)
D. VoIP (two (2) servers)
E. File server
F. Exchange (three (3) servers)
G. Network load balancer (two (2) servers)
H. Application serve
I. Train locator (customer Java)
J. Financial management (two (2) servers)
K. IIS (two (2) servers)
L. Service management server
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
3
M. Visual messaging system server
N. Remote desktop server
O. Windows SUS
P. Network monitoring (WUG) server
VRE is considering moving some, if not most, of these servers to the Cloud.
9.
Will VRE’s selected Cloud provider have management built in or readily available as an
option in its platform?
VRE will utilize Microsoft Azure for Cloud computing services.
10.
Section A.3D.7. states that VRE’s current Information Technology (IT) infrastructure
includes forty eight (48) mobile devices. Is it a requirement to include end user monitoring
and optimization for browser and mobile applications used on the end user devices (e.g.,
iPhone, Android, Blackberry)?
No.
11.
Are any of the mobile devices dual SIM operated?
No.
12.
Are any of the Android devices rooted or do they have custom ROMs?
No.
13.
Are any of the iPhone devices “jail broken”?
No.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
4
14.
Apart from a penetration test or vulnerability assessment, is there anything else the
Contractor must provide for VRE’s mobile devices?
No.
15.
In reference to Section A.3D.8., must the Contractor conduct or complete a wireless
assessment, including heat maps, signal strength tests, security, throughput, etc.?
At a minimum, the Contractor shall perform an assessment that satisfies the standards
identified in Section D.1B.
16.
Does the wireless solution have to remain on premises or can it be Cloud based?
The wireless solution must remain on premises.
17.
In reference to Section A.3D.9., are the Wide Area Networks (WAN) FRMPLS or MPLS?
They are MPLS.
18.
In reference to Section A.3D.9.c., VRE utilizes 3G/4G devices operating at 4G LTE speeds
were available. Are these Wi-Fi networks used for both data and voice?
No, they are used for data only.
19.
Can VRE identify the individual WAN networks and the technology utilized for each?
The WAN networks are used for fare collections, Visual Message Service (VMS), bank
circuit, security cameras, branch office and secure gateway, which are all MPLS.
20.
What is VRE’s initial thought about segregating the networks?
The Contractor shall provide recommendations based upon best practices as part of this
assessment.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
5
21.
Is there a requirement for VoIP, Plain Old Telephone Service (POTS) or local/long
distance?
This solicitation is related to data networks to include VoIP and does not involve local or
long distance calling.
22.
Does VRE want to maintain/manage its own VoIP hardware?
VRE manages its own VoIP hardware.
23.
Does VRE have an IP-PBX, Cisco Cube or some type of session border controller?
No.
24.
Does VRE have any failover requirements for both voice and data?
Yes.
25.
Does VRE have a preference for Ethernet or TDM wherever suitable?
The Contractor shall provide recommendations based upon best practices as part of this
assessment.
26.
Does VRE require single-mode or multi-mode interfaces wherever fiber is suitable? Is
VRE’s network equipment enabled to support either?
The Contractor shall provide recommendations based upon best practices as part of this
assessment.
27.
Does VRE have its own handsets?
Yes.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
6
28.
Does VRE have Power Over Ethernet (POE) switches?
VRE has several POE switches and POE injectors in the network.
29.
In reference to Section A.3H., are there any special IP configurations that are not identified
including, IPsec, GETVPN and/or DMVPN, etc.?
No.
30.
Can VRE identify the number of public facing IP addresses available and currently being
used that need to be scanned as part of the security assessment?
The number of public facing IP addresses is identified in Section A.3H.2.
31.
What is the size of VRE’s Local Area Network (LAN) block in regard to internet facing IP
addresses?
The space for internet facing IP addresses is identified in Section A.3H.1.
SECTION B – PROCUREMENT SCHEDULE
32.
In the event there is a delay responding to questions received, will VRE consider a two (2)
week extension of the due date for Proposals to allow for internal and legal review of the
responses provided?
No.
SECTION D – SCOPE OF WORK
33.
What is VRE’s budget to complete this project?
VRE has estimated the budget for this project to be approximately $75,000.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
7
34.
Is the environment to be audited segmented from the rest of VRE’s network(s)? If yes,
how?
The environment to be assessed by the Contractor is the entire VRE network.
35.
Are all VRE systems identified in the scope of work hardened in accordance with industry
standards such as, DISA STIG, CIS benchmarks, etc.?
This assessment includes an analysis to determine the current level of hardening and best
practices for hardening.
36.
What tools or processes does VRE use to monitor these systems such as, daily audit logs
for evidence of compromise?
VRE will provide this information to the successful Contractor following contract award.
37.
Does VRE run at least quarterly internal and external vulnerability scans against all
components?
Yes.
38.
What operating systems does VRE use?
VRE uses IOS, OSX, Android, Linux, Windows and QNX.
39.
Is the Contractor required to perform a penetration test, as well as a vulnerability
assessment?
Yes.
40.
Does VRE have any data center assets?
No.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
8
41.
Does VRE have any internal “home baked/home cooked” applications?
VRE utilizes several very small access databases within the internal network for the
purposes of tracking assets.
42.
Does VRE develop any in-house software for any of the systems included in the scope of
work? If yes, can VRE provide a description?
VRE does not develop any software in-house.
43.
Does VRE have any Microsoft Office 365 requirements?
VRE is in the process of implementing Exchange online and SharePoint online.
44.
Does VRE know or have an idea of what the application dependencies are?
Yes.
45.
Does VRE have a requirement for authentication services?
Yes.
46.
Does VRE require assistance or a plan to migrate its infrastructure, both physical and
virtual?
The Contractor is required to provide a plan to optimize and enhance VRE’s critical
network infrastructure and perform a risk and security assessment.
47.
Does VRE have or require management of its infrastructure, both physical and virtual?
Yes.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
9
48.
Does VRE have any storage requirements?
No, storage is not a requirement for this solicitation.
49.
Are there any requirements for Disaster Recovery as a Service (DRaaS)?
No, DRaaS is not a requirement for this solicitation.
50.
Regarding Section D.1B., does this Contract include a review of VRE’s people, processes
and technologies as it relates to the storage, processing or transmission of card holder data
and/or a requirement to meet the PCI DSS standards and obtain an Attestation of
Compliance (AOC)? If no, what is required of the Contractor in terms of interaction with
card holder data entrusted to VRE?
At a minimum, the Contractor shall perform an assessment of compliance to satisfy the
requirements of PCI DSS level four (4).
51.
Is the Contractor required to be QSA certified in order to perform evaluation of VRE’s PCI
DSS infrastructure? If yes, does VRE plan to use this evaluation as part of the PCI DSS?
No.
52.
What level PCI certification is currently held by VRE?
VRE currently holds a level four (4) certification.
53.
Does VRE outsource any form of its payment processing to third party service providers?
If yes, what services are provided and by whom?
No.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
10
54.
Are all three (3) phases of the scope of work to be performed simultaneously or does Phase
1 need to be completed before Phase 2? Do Phases 1 and 2 need to be completed before
Phase 3?
Phases shall not be performed simultaneously. The data from Phase 1 shall feed into Phase
2, and the data from Phases 1 and 2 shall feed into Phase 3.
55.
How many key stakeholders must be interviewed during Phase 1 - Data Collection,
Documentation and Analysis of the project?
The number of key stakeholders is related to the information required from the Contractor.
The pieces of data that VRE approximates that the Contractor is estimated to require is
roughly five (5) to seven (7) employees and consultants.
56.
Section D.2B. states that intrusive testing shall not be performed by the Contractor between
the hours of 4:00 A.M. to 10:00 A.M. and 12:00 P.M. to 9:00 P.M. EST, Monday through
Friday. Can VRE define intrusive testing? Is this limited to automated scans and
penetration testing?
VRE defines intrusive testing as testing that has the potential of causing interruption to any
system or normal workflow on VRE’s network. This restriction is designed to minimize
interruption to services when VRE trains are operating.
57.
In reference to Section D.3A., does the Local Area Network (LAN) Assessment include
both wired and wireless (e.g., Wi-Fi, access points, W-LAN controllers)?
Yes.
58.
Does the LAN Assessment include wireless infrastructure provided by VRE for patrons in
physical locations?
VRE does not offer its patrons wireless infrastructure.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
11
59.
Is VRE’s security video camera surveillance over IP or are the cameras closed circuit
television (CCTV)?
VRE utilizes both CCTV and IP cameras.
60.
In reference to Section D.3A.1., does VRE have a list of all network device IP addresses?
VRE will provide the Contractor with a list of known network device IP addresses.
However, it is the responsibility of the Contractor to verify the accuracy of the data
provided.
61.
Does VRE have a circuit inventory of known circuits?
VRE will provide the Contractor with a list of known circuits. However, it is the
responsibility of the Contractor to verify the accuracy of the data provided.
62.
Does VRE have any network management platforms (Solarwinds, HP Openview,
SMARTS, etc.) that are used to manage the network devices?
No.
63.
Does VRE have a preliminary inventory of network devices that includes the vendor,
platform and model of each device?
VRE will provide the Contractor with all records that currently exist with respect to
network devices. However, the accuracy of the records shall be verified by the Contractor.
64.
Can VRE provide an inventory of all system components including, Point-of-Sale systems,
network components, servers and other systems (mainframes, mid-range, etc.), devices
performing security functions, end user devices (laptops and workstations), virtualized
devices and critical software?
See Section A.3, as well as the response to Question Nos. 7 and 8.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
12
65.
Does VRE have SNMP configured on the network devices?
No.
66.
Does VRE have the community strings for SNMP configurations?
VRE does not have SNMP configured on its network devices.
67.
Who is VRE’s major vendor partner for network devices (Cisco, Juniper, etc.)?
VRE’s major vendor partner is Cisco.
68.
In reference to Section D.3A.2., is special access required for site visits?
VRE must provide escorts during all site visits.
69.
Are there IT managers or technical resources at each site?
IT resources will be provided for each site visit. See the response to Question No. 68.
70.
In reference to Section D.3A.4., does any current documentation exist for the network (e.g.,
Visio drawings, site standards, etc.)?
Very limited documentation currently exists.
71.
In reference to Section D.3B., is it a requirement to incorporate high level cost components
in the WAN Assessment, as well as recommendations (e.g., contract value, terms, commit
spend, costs per site, transport types)?
Yes.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
13
72.
What does VRE spend annually for telecommunications including mobile devices, circuits,
POTS lines and IPOPs?
VRE spends approximately $800,000 annually.
73.
Is there a preferred approach to collection of data per site, including main sites and remote
sites (e.g., VLAN Access-List (VACL), Switched Port Analyzer (SPAN), network taps)?
Yes, data collection shall be performed in accordance with the standards identified in
Section D.1B.
74.
Does VRE restrict access to its facilities for technicians doing site surveys and inventories?
Yes.
75.
Does VRE have a requirement to keep data on site or can data be transferred?
This is a very broad question that requires further clarification in order for VRE to provide
an accurate answer.
76.
Does VRE have any security policies in place that prohibit personnel from accessing and
photographing VRE facilities during site visits and visual inspections? This type of
information can be leveraged for Configuration Management Database (CMDB)
verification.
VRE does not prohibit photography within its facilities by authorized visitors provided the
photos are being taken in a safe location and are solely intended for providing goods and/or
services to VRE or its contractors. VRE requires personnel taking photos to respect the
security-sensitive nature of the rail environment and restrict photography to the subject
matter of the site visit, as well as minimize the presence of VRE staff in photos. VRE
reserves the right to restrict or change this condition at any time without any prior notice.
77.
Does VRE currently have a CMDB or asset inventory database? If yes, what software
platform(s) support this database?
No.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
14
78.
What tools for network performance assessment or network monitoring are currently
approved for use in VRE’s environment? What is the process to get a new tool approved,
if needed?
VRE does not currently utilize these tools internally. A proposed new tool must be
authorized in writing by VRE’s Director of Information Technology.
79.
Is there any infrastructure that VRE does not own that supports VRE hardware, software
or applications (e.g., managed WAN routers)? Can VRE identify anything that will require
additional access requests to include in the assessment?
Yes, VRE uses two (2) Cisco ASA devices that are owned and managed by two (2) VRE
contractors. Additionally, VRE utilizes managed services for routers connected to MPLS
circuits through Verizon Business.
80.
Does VRE have any tools (e.g., network performance assessment or network monitoring)
that can be leveraged to reduce the overall cost to complete the scope of work?
No.
81.
Can VRE provide a list of current business critical applications supported by its
infrastructure?
See the response to Question No. 8.
82.
Does VRE own, lease or have any network configuration management platforms?
No.
83.
How many end users does VRE support?
VRE supports approximately fifty (50) end users.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
15
84.
Has VRE ever completed a network assessment prior to this RFP? If yes, can VRE share
the results, as well as identify the tools utilized in the assessment?
A risk and security assessment of this scope and magnitude has never been undertaken by
VRE.
85.
In reference to Section D.3C., Cyber Security/Resiliency Assessment, are any of VRE’s IT
and security processes currently outsourced?
No.
86.
Approximately how many people must the Contractor interact with for the resiliency
assessment? Is the team supporting VRE’s security and operations significant in size? Is
the team mostly centralized?
See the response to Question No. 55. The team is mostly centralized.
87.
Are there any third party owned or hosted systems included in the scope of work?
Yes.
88.
Are there any Cloud based systems that require review by the Contractor?
Yes.
89.
Would a sampling based approach for security review of certain firewalls/routers/ switches
and servers be acceptable to VRE?
The Contractor shall perform the security review in accordance with the standards
identified in Section D.1B.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
16
90.
Is the Contractor required to perform physical security assessments at some or all of the
locations or can these assessments be conducted virtually to emulate cyber network
penetration? An example of this would be to attempt to gain unauthorized access to
systems or buildings via existing networks or social engineering.
The Contractor shall perform security assessments in accordance with the standards
identified in Section D.1B.
91.
Is the Contractor required to perform vulnerability identification and exploitation or is the
goal of the assessment solely to perform vulnerability identification?
The Contractor shall provide a plan to optimize and enhance VRE’s critical network
infrastructure, as well as provide security training for VRE’s end users.
92.
Section D.3C.1. states that the Contractor shall assess the risks to critical IT functions
identified within VRE’s infrastructure, to include a social engineering attack test. Does this
mean there is an existing report of risks already identified to assess? The way this is written
makes it seem like there has been an assessment, risks have already been identified and the
risks require further assessment. There is no mention of identifying risks. Can VRE
provide clarification?
No. The Contractor shall perform all tasks identified in Section D.3C.
93.
Will the social engineering attack test be an announced test (i.e., will IT security staff be
told about the testing in advance)?
The VRE Project Manager will be the only VRE employee with knowledge of the social
engineering test.
94.
With respect to the social engineering attack test, what are the components VRE requires
the Contractor to use (e.g., espionage simulations, offensive spear-phishing, human
incident response, metrics skills assessment, etc.)?
See the response to Question No. 99.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
17
95.
What social engineering techniques are required by the scope of work (i.e., physical entry,
phishing emails, phone calls, USB drops, etc.)?
See the response to Question No. 99.
96.
What risk mitigation capabilities are currently in place (e.g., deterrent, detective,
corrective, preventive, recovery controls, etc.)?
VRE uses IPS and IDS.
97.
Have critical IT functions already been identified? If yes, what are they?
Critical IT functions shall be identified through the vulnerability assessment conducted by
the Contractor.
98.
Should the Contractor conduct penetration testing against these functions to include social
engineering?
Yes.
99.
What types of social engineering test scenarios are required (physical breach,
telephone/call center, email/phishing, SMiShing, USB drop)?
All scenarios referenced shall, at a minimum, be included by the Contractor in the social
engineering test.
100.
What locations are included in the scope of work for social engineering?
See Section A.3E.2 for a list of office locations to be included.
101.
If VRE requires email and voice based social engineering, how many targets need to be
tested?
All VRE employees shall be included as targets via email. Voice based social engineering
will be limited to approximately ten (10) targets.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
18
102.
How many externally facing IP addresses are live and reachable from the internet?
See Section A.3H.2 for a list of external IP addresses.
103.
Section D.3C.2. states that the Contractor shall evaluate the IT security of VRE’s internal
and external networks to include PCI-DSS infrastructure. Does this mean that the
Contractor shall perform a vulnerability assessment or penetration test? Is the Contractor
responsible for validating the scope and segmentation controls for the PCI environment
(formally or informally, by review or by penetration test)?
Quarterly vulnerability scans are currently being performed by a third party. The
Contractor will have access to view these reports. The Contractor shall be required to
perform both a vulnerability assessment and a penetration test related to PCI compliance.
The Contractor is responsible for formally validating the scope and segmentation controls
for the PCI environment both by review and by penetration test.
104.
Is wireless (Wi-Fi) testing a requirement of the scope of work for the internal tests? If yes,
must testing be performed at all locations or just VRE office locations?
Yes, Wi-Fi testing is required and must be performed at the locations identified in Section
A.3E.2
105.
Is penetration testing of web applications a requirement of the scope of work?
This question requires further clarification in order for VRE to provide an accurate answer.
106.
Is penetration testing of Ticket Operating Machines a requirement of the scope of work?
Yes.
107.
Should the PCI assessment also include penetration activities and scanning activities?
Yes.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
19
108.
Has VRE undergone a PCI assessment in previous years? If yes, when was the last PCI
assessment performed?
The last PCI assessment was performed in November 2014.
109.
Is VRE classified as a service provider or merchant and in which tier?
VRE is classified as a merchant, tier 4.
110.
Does VRE complete a ROC or SAQ? If a SAQ, which SAQ does VRE complete?
VRE completes a SAQ, version two (2).
111.
How many locations within VRE are considered part of the scope of the PCI
assessment? Can VRE identify these locations?
All locations identified in Sections A.3E.1, A.3E.2.a., A.3E.2.c. and A.3E.3. shall be
included in the PCI assessment.
112.
Are all locations identified in Section A.3E. included in the scope of the PCI assessment?
See the response to Question No. 111.
113.
Does VRE have a system security plan, contingency plan, incident response plan and
configuration management plan?
Yes.
114.
Does VRE have a submission due date for the PCI assessment to ensure retention of its
PCI compliance?
Yes, the due date is November 2016.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
20
115.
Can VRE provide an inventory (redacted) of the types of devices and number of devices
included in the scope for the PCI assessment?
Yes, an inventory will be provided to the Contractor.
116.
What type of evaluation does VRE require on its internal and external networks (e.g.,
internal and external network penetration testing, device security configuration review
against best practices, network security architecture assessment, network segmentation
testing, etc.)?
The Contractor shall perform a risk and security assessment of VRE’s bandwidth and
network infrastructure. The Contractor shall also develop a plan to optimize and enhance
VRE’s critical network infrastructure, as well as provide security training for VRE’s end
users.
117.
Section D.3C.3. states that the Contractor shall examine the capabilities VRE currently
possesses to prevent, detect, absorb and respond to the risks identified. This assessment
shall examine the capabilities that exist within VRE, including staff with specialized
training and knowledge, as well as physical assets. This sounds like a review of internal
risk management processes. Can VRE more clearly define this requirement? Does this
requirement include security monitoring, incident response, governance/risk/compliance
processes, vulnerability management, third party management, policy exception
management, secure configuration and security authorization processes?
The Contractor’s assessment shall satisfy the requirements of the Federal Information
Processing Standards (FIPS) 199.
118.
Does VRE have Security Operations Center capability either in-house or outsourced?
This question requires further clarification in order for VRE to provide an accurate answer
as it depends on the Offeror’s definition of a Security Operations Center.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
21
119.
Section D.3C.4. states that the Contractor shall analyze the findings from the Risk and
Vulnerability Assessment, Penetration Testing and Capabilities Assessment against current
industry standards and best practices to identify gaps in VRE’s overall cyber security and
resiliency posture. This implies that the Contractor will either be provided a findings report
as input, or shall be responsible for performing these activities. Can VRE provide
clarification? What are the industry standards that VRE prefers to be assessed against?
See Section D.1B. for the standards VRE must be assessed against.
120.
Is the intention of this task to analyze findings from a pre-existing Risk and Vulnerability
Assessment Report and a pre-existing Penetration Testing and Capabilities Assessment
Report to identify gaps against best practices and industry standards? If yes, does VRE
want the analysis to be against the findings or the methodology in both reports?
No, a risk and security assessment of this scope and magnitude has never been undertaken
by VRE.
121.
Section D.4C.2. requires the Contractor to develop a Remediation Plan to mitigate or
prevent identified security and resiliency risks and vulnerabilities within VRE’s cyber
networks. Should the Contractor include in the Remediation Plan simulated disaster
recovery test results if an incident were to occur (e.g., financial impact, service delivery
impact, community impact, etc.) or does VRE require a Remediation Plan to patch existing
vulnerabilities in order to be compliant?
At a minimum, VRE requires a Remediation Plan to patch existing vulnerabilities in order
to be compliant.
122.
In reference to Section D.5, which includes the requirements for the Cyber Security
Training and Education Program, is the Contractor required to provide a classroom for
training of all employees or will VRE provide the classroom space and equipment?
VRE will provide a meeting room and AV equipment for this task.
123.
How many total end users will be part of the Cyber Security Training and Education
Program?
Approximately fifty (50) total end users.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
22
124.
Does this training include VRE employees, as well as VRE’s contractors?
The training shall include VRE employees only.
125.
As part of the Cyber Security Training and Education Program, is the Contractor required
to build and maintain the testing infrastructure for annual training efforts? If no, is the
Contractor instead required to build the training for VRE to host using internal
infrastructure?
VRE does not understand what infrastructure would be required and requires that the
question be further clarified in order to provide an accurate answer.
126.
Where will the cyber security related workshops be held?
The workshops shall be held in Alexandria, Virginia.
127.
How many discrete training programs does VRE require? In Section D.5, do A – D each
represent a separate program?
One (1) program shall be required to encompass all aspects of Section D.5A. through
Section D.5D.
128.
Does VRE have any specific requirements for the workshops (length, location, material
format, etc.)?
The workshops shall be based on the findings of Phase 1 and Phase 2 of the risk and security
assessment as identified in Section D.3 and D.4.
129.
Should workshop materials incorporate VRE specific processes and examples or can more
generic best practices be utilized? If the former, can VRE provide input from subject matter
experts as to what those processes include?
The Contractor shall develop from VRE specific processes and examples, as well as from
subject matter experts, the input to be used in Phase 1 and Phase 2 of the risk and security
assessment.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
23
130.
Are the workshops to be role based?
Yes, see Section D.5A.
131.
To what extent will the training need to be customized for individual roles (i.e., how many
roles)? How much differentiation does VRE require there to be among the various roles?
The training shall include two (2) roles, VRE IT staff and other VRE employees.
132.
Does the social engineering test program consist of two (2) phases (1st - a phishing test, 2nd
- a training program item that builds on the results) or is it one (1) training item (education
about malicious phishing and social engineering)?
The social engineering test program shall include two (2) phases.
133.
Is VRE required to report staff completion of the annual training required in Section D.5D.
for compliance purposes? Are there any requirements related to compliance that this
annual training must include?
Annual training shall be compliance based and include the standards identified in Section
D.1B.
SECTION E – SPECIAL TERMS AND CONDITIONS
134.
Section E.7 requires the Contractor to assign a single point of contact that must be available
between the hours of 7:00 A.M. and 7:00 P.M. EST, Monday through Friday, to address
any critical issues that arise. Can VRE confirm the skillset required of the single point of
contact and provide examples of the types of critical issues that the single point of contact
may encounter?
The single point of contact shall be available and have the skillset necessary to respond in
the event that the Contractor’s testing causes any sort of outage condition for VRE.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
24
SECTION G – GENERAL INSTRUCTION FOR OFFERORS
135.
In reference to Section G.5, if an Offeror requests to withdraw its Proposal due to an error,
will that Offeror be allowed to re-submit a corrected Proposal?
No. However, in accordance with Section F.5, VRE reserves the right to waive
informalities and minor irregularities in Proposals.
SECTION H – GENERAL CONDITIONS FOR OFFERORS
136.
Section H.8B. states that VRE reserves the right to perform or have performed a financial
review of the successful Offeror’s resources. What type of financial review of the
successful Offeror’s resources will be conducted?
This provision will not be invoked by VRE as a routine matter, but only in extreme
circumstances, such as if VRE believed that financial difficulties or financial malfeasance
might significantly impair contract performance. The purpose of the financial review
would be only to ascertain the extent of the possible impairment, if this information had
not already been provided by the Offeror.
SECTION K – PROPOSAL CONTENT
137.
Section K.1I., Tabs 5 through 7 state that each objective above shall be conspicuously
identified and described on a separate page. Is VRE limiting the response for each objective
to a single page or must each objective begin on a separate page?
Each objective shall begin on a separate page. There is no page limit.
138.
Section K.1I., Tabs 5, 6 and 7 indicate that each objective shall be conspicuously identified
and described on a separate page. We interpret this requirement to mean that each item
(i.e., a., b., c.) in Tabs 5, 6 and 7 should start on their own page as opposed to limiting the
response for each requirement to a single page. Can VRE provide clarification?
See the response to Question No. 137.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
25
139.
Section K.1I., Tab 13, requires the Offeror to identify three (3) clients for whom
comparable work has been done in the past five (5) years or is currently being performed.
Is it a requirement for this RFP for the Offeror to be in business for five (5) years or is this
simply stating not to provide references for work performed more than five (5) years ago?
The Offeror must provide references for work performed within the past five (5) years only.
140.
Section K.1I, Tab 18 requires Offerors to provide financial statements. Is it mandatory that
Offerors provide a Statement of Financial Position (Balance Sheet), Results of Operation
(Income Statement), Statement of Cash Flow (if available) and Statement of Current and
Retained Earnings?
Yes, financial statements must be provided or Offerors will be disqualified.
141.
Can VRE confirm that there are no page limits for those tabs where limits are not specified
(e.g., Management Plan, Capability and Expertise of the Proposed Firm(s), Knowledge and
Qualifications of the Proposed Project Manager, Data Collection and Analysis Plan,
Strategic Recommendations, Implementation and Remediation Plan, and Cyber Security
Training and Education Plan)?
Yes, page limits apply only when specifically stated for a particular tab.
SECTION M – SUBMISSION OF PROPOSAL
142.
Section M.2A. states that the Proposal must be typed. Type size must not be smaller than
Microsoft Word Times New Roman 11 point font, normal proportional spacing. Will VRE
allow a type size of Arial 8 point font for graphics?
Yes, for graphics only.
143.
Section M.4 states that Offerors shall submit two (2) CDs/DVDs or USB memory devices,
each containing one (1) continuous electronic copy of the “Technical Proposal and Cost
Proposal” package in PDF format. Does this means that Offerors should submit one (1)
device with the Technical Proposal and (1) device with the Cost Proposal or two (2)
devices, each containing both the Technical Proposal and the Cost Proposal?
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
26
The Offeror shall submit two (2) CDs/DVDs or USB memory devices, each containing
both the Technical Proposal and Cost Proposal.
SECTION N – EVALUATION OF PROPOSALS
144.
In reference to Section N.3, past performance does not appear to be included in the
evaluation criteria. Will past performance be evaluated as part of Evaluation Criteria C Capability and Expertise of the Proposed Firm(s)?
No. VRE will only evaluate the capability, expertise and past experience of the Offeror
and proposed Subcontractors, if applicable. However, references will be contacted by VRE
to verify the past performance of the Offeror.
SECTION O – CONTRACT AWARD
145.
When does VRE anticipate selecting a Contractor?
VRE anticipates awarding a Contract in June 2016.
SECTION R – SURETY BOND
146.
Can VRE confirm that the Contractor is required to provide a payment bond or irrevocable
letters of credit in the amount of the value of subcontracted work? This is normally a
requirement reserved for construction contracts.
Yes, a payment bond is required if the Contractor utilizes Subcontractor(s).
147.
If the Contractor does not subcontract any of the work, does the Contractor need to provide
a payment bond?
No.
ATTACHMENT V.1 – GENERAL TERMS AND CONDITIONS
148.
Will VRE accept Proposals from Offerors that reference the terms and conditions of an
existing General Services Administration Schedule 70 contract?
No.
RFP No. 016-020
Risk and Security Assessment of VRE’s
Bandwidth and Network Infrastructure
Virginia Railway Express
27
Related documents
Q.2 INSTALLATION FLOATER
Q.2 INSTALLATION FLOATER
VRE - Queensland Health
VRE - Queensland Health
VIRGINIA RAILWAY EXPRESS AMENDMENT OF SOLICITATION REQUEST FOR PROPOSALS (RFP)
VIRGINIA RAILWAY EXPRESS AMENDMENT OF SOLICITATION REQUEST FOR PROPOSALS (RFP)
REQUEST FOR PROPOSALS No. 016-016 MANASSAS PARK STATION PARKING EXPANSION
REQUEST FOR PROPOSALS No. 016-016 MANASSAS PARK STATION PARKING EXPANSION
W.1 ATTACHMENT GENERAL TERMS AND CONDITIONS Revised April 1, 2009
W.1 ATTACHMENT GENERAL TERMS AND CONDITIONS Revised April 1, 2009
Download
advertisement