4.0 Vendor's Response to RFP
advertisement
Cherokee Nation Security & Defense, LLC Cherokee Nation Security & Defense Enterprise Asset Management System RFP Document November 12, 2014 RFP Document 1.0 Introduction ............................................................................................................................................................ 3 1.1 COMPANY ..................................................................................................................................................................... 3 1.2 CONTACT ...................................................................................................................................................................... 3 1.3 PROJECT OBJECTIVE ....................................................................................................................................................... 4 1.4 PROJECT ASSUMPTIONS ................................................................................................................................................ 13 1.5 PROJECT TEAM AND RESPONSIBILITIES.......................................................................................................................... 15 1.6 PROJECT RESOURCES FORECAST ................................................................................................................................... 17 2.0 RFP General Information.................................................................................................................................. 17 2.1 RFP OVERVIEW .......................................................................................................................................................... 17 2.2 RFP FORMAT .............................................................................................................................................................. 18 2.3 RFP TIMETABLE ......................................................................................................................................................... 18 2.4 VENDOR CHARACTERISTICS .......................................................................................................................................... 18 2.5 CONTRACTUAL ISSUES.................................................................................................................................................. 19 2.6 SECURITY AND CONTROL .............................................................................................................................................. 19 2.7 TRAINING ................................................................................................................................................................... 19 2.8 DOCUMENTATION ........................................................................................................................................................ 19 2.9 DESIGN APPROACH AND STRATEGY ............................................................................................................................... 19 2.10 ROLES AND RESPONSIBILITIES .................................................................................................................................... 19 2.11 REJECTION OF BIDS ................................................................................................................................................... 20 3.0 Current State ......................................................................................................................................................... 20 4.0 Vendor’s Response to RFP................................................................................................................................ 20 4.1 FORMAT OF VENDOR’S RESPONSE ................................................................................................................................. 20 4.2 INTRODUCTION AND VENDOR BACKGROUND .................................................................................................................. 20 4.3 DESIGN APPROACH ...................................................................................................................................................... 22 4.4 TRAINING EXPERIENCE ................................................................................................................................................ 22 4.5 PROJECT COSTS ........................................................................................................................................................... 22 4.6 SECURITY QUESTIONNAIRE ........................................................................................................................................... 22 4.7 SYSTEM TOPOLOGY / APPLICATION FLOW ..................................................................................................................... 22 4.8 RFP CERTIFICATION .................................................................................................................................................... 23 5.0 Definitions ............................................................................................................................................................. 24 6.0 Business Relationship/Non-Disclosure ...................................................................................................... 26 7.0 General Security Questionnaire for System Applications………………………………………………………………… 35 Page 2 1.0 Introduction 1.1 Company Cherokee Nation Businesses, L.L.C. (CNB) is wholly owned by the Cherokee Nation, the nation's second largest Indian tribe. CNB, the economic engine of the Cherokee Nation, owns companies in the gaming, hospitality, personnel services, distribution, aerospace, manufacturing, telecommunications, technology services, medical equipment, security and defense services, construction and environmental services industries. These businesses have annual revenues of over $700 million and over $100 million in profits. CNB continues to grow and expects to acquire new businesses in the future. Cherokee Nation Security & Defense (CNSD), a subsidiary of CNB, was created to provide quality employment opportunities for citizens of the Cherokee Nation within an organization that provides state-of-the-art critical site infrastructure protection, security surveillance services, and access control technologies to both government and commercial clients. 1.2 Contact All questions related to this document should be directed by email to Hossam Azar at the following address: hossam.azar@cnent.com Page 3 1.3 Project Objective 1.31 Overview The Federal government recently awarded Cherokee Nation Security & Defense (CNSD) a contract to manage its equipment asset inventory. Equipment assets include all access control, intrusion detection and video surveillance systems. CNSD is using multiple spreadsheets to capture the inventory during the first year of the contract while they locate and implement a new software solution. CNSD is responsible for 450 locations. In the future, CNSD expects the solution to support multiple government contracts managing asset inventories. CNSD is building equipment lists of security cameras, DVRs, servers, airport x-ray equipment, and other IT equipment. The government contract requires specific fields be tracked on all equipment types. CNSD has yet to find all required features on any COTS. CNSD requires a customized solution to meet its contractual obligations. CNSD seeks an Enterprise Asset Management (EAM) system to manage IT security assets that are government owned. The EAM must support multiple contracts that track assets, warranties, service order calls, preventative maintenance and scheduling, service/maintenance hours spent, and repair parts used on equipment assets. In addition, the desired solution must meet application and data security requirements. 1.32 Business Objective: Select and implement an Enterprise Asset Management System that: Streamlines report based CDRL’s (Contractor Data Requirements List) reducing time and cost, currently 60-80 hours per month. Provides inventory reporting to give customers proper asset information for forecasting/planning and determining growth or reduction of resources. Eliminates manual processes of reporting and data entry. Tracks all active, pending, and completed work orders on maintenance, warranty, repair, and support. Delivers accurate and timely reports to customer. Provides efficient management of CNSD resources, work orders, and contracts. Provides ability to add 15-20 sites to the EAM system per month after implementation. 1.33 Business Rules ID BR-1 BR-2 BR-3 BR-4 BR-5 Description The contract requires CNSD to report the material of all parts used on equipment assets. The solution shall provide tracking an employee’s certification and security clearances. The solution shall provide a service call database for all work performed on equipment assets and report completed service/work orders to the government representative. The solution shall provide the types of work performed on equipment assets on a Service Order, such as preventative maintenance, warranty, repair, upgrades/enhancements, new installations, inspections, and technical support. The solution shall use a default date, such as Contract Date, on existing Page 4 ID BR-6 BR-7 Description equipment assets when the exact date field is unknown, while all new equipment shall have a date not in the future. The field shall be required. The solution shall log the name and date of the technician who added or modified an equipment asset for auditing purposes. The solution shall allow CNSD to manage the service order status to understand the work required to completion. 1.34 Business Requirements ID R-1 R-2 R-3 Description The solution shall use a default date, such as Contract Date, on existing equipment assets when the exact date field is unknown, while all new equipment shall have a date not in the future. The field shall be required. The solution shall log the name and date of the technician who added or modified an equipment asset for auditing purposes. The solution shall allow CNSD to manage the service order status to understand the work required to completion. 1.35 EAM Features ID FE-1 FE-2 FE-3 FE-4 FE-5 FE-6 FE-7 FE-8 FE-9 FE-10 FE-11 FE-12 FE-13 FE-14 FE-15 FE-16 FE-17 Description Prefer a hierarchical structure beginning with Contract, Zone, Site, and then Site Location Area. Equipment asset inventory containing IT security equipment. BR-3. Spare parts asset inventory used in the repair, maintenance, and installation of equipment assets. Tool for scheduling preventative maintenance on equipment assets. Ability to manage equipment warranties. Ability to manage service orders on equipment assets. Ability to manage employee information, such as name, phone, certifications, employee role, and their assigned work zone. Integrate employee time and labor performed on equipment service orders with Deltek Time & Expense. Track preventative maintenance plans and service histories on each equipment asset. Create a comprehensive reference library of uploaded documents for employees, equipment assets, contract requirements, part assets, warranties, and equipment manuals. Provide managing a site's point of contact person, site name, its zone, site location and description. Standard and customizable reports. See table 1.37 Standard Reports. Functionality to manage its basic Contract information it must perform for another. Logging the employee name and date/time that added or edited assets for audit purposes. Provide mobile device accessibility with all solution functionality. Support kitting of spare parts used on equipment assets. Provide data security access controls using two-factor authentication other than on the device. Page 5 Priority High High High High Medium High Low Low High Low Medium High Medium Low Low Medium Low ID FE-18 Description Ability to add custom fields to database and forms. Priority High 1.36 Data Requirements The solution must provide field-level requirements. A vendor may provide additional or similar Objects (entities) and fields not listed below. An asterisk (*) denotes required fields. CRUD codes used below represent Create, Read, Update, and Delete functionality. DD-1: Equipment Asset Object Name: Equipment Asset Description: A government IT security asset managed by CNSD. Required in monthly reports. Function(s): Data: Rules: Admin can CRUD equipment assets. Employee can CRU equipment assets. Device Type [List]* Device Sub-Type * Model * Model Number * Serial Number Equipment Description * ( text field, 200 char) Fiber/Coax (fiber OR coax?) Install Date * In Service (Yes/No/Unknown) Operable (Yes/No/Unknown) Equipment Status [List] OEM * MCE ID Comments Within Specs (Yes, No, Unknown) Recommended Action ( text field, 200 char) Audit Logging * Doc Storage about Object R-1, R-2 Related Object: Equipment Storage, Warranty, Device Type, Preventative Maintenance, Service Order, and Inspection. DD-2: Equipment Status Object Name: Equipment Status Description: As listed by IRS in contract. Function(s): Select ONE from pick list. Data: Operational, Non-Operational, Damaged, Missing Rules: Related Object: Equipment Asset Page 6 DD-3: Warranty Object Name: Warranty Description: Information about equipment asset warranties. Function(s): Data: Rules: Completed by Technician or Admin. Technician – CR Admin - CRU Warranty Start Date * Warranty End Date * Document Storage about Entity Warranty contact name, phone, company name Warranty Type (Select One: Parts Only, Parts & Labor) * Related Object: Equipment Asset DD-4: Maintenance Plan Object Name: Maintenance Plan Description: Includes required fields to report monthly on equipment asset. Function(s): Data: Rules: Rules: Admin – CRUD, Technician – CRU Last Service Date * Next Service Date * Comments Time Maintenance Interval * [Select One: Month, Quarter, Semi-Annual, Annual] Usage Maintenance Interval * [miles, hours] R-1 Related Object: Equipment Asset Related Object: Equipment DD-5: Device Type Object Name: Device Type Description: Device Type determines the task order list performed on each equipment type Function(s): Select from pick list Data: Card Access-Intrusion Detection Security Operations Center CCTV Matrix Badge Encoder Fiber Optic Transmitter CCTC Monitor Pre-Processor Unit PTZ CCTV Camera Tape Back-up Emergency Call Station RTU Panel Page 7 Rules: Fixed CCTV Camera Dedicated Micros Related Object: Equipment DD-6: Part Asset Object Name: Part Asset Description: Part Assets are spare part inventory items installed on equipment assets. Part Assets may be bundled in a Kit and will be stored at multiple site locations. Function(s): Data: Rules: Admins can CRUD part assets. Technicians can CRU part assets. Part Name * Part Serial Number Part Description Quantity * Part Material * [See List] Unit Cost* Manufacture Place* Reorder Level Min Stock Level Max Stock Level Original Price Part Supplier Kit Number Kit Value Doc Storage for Entity Zone* Site* Kit Value = sum amount of all parts in a kit. Zero to many parts may be used on an equipment asset which is listed on a Service Order. DD-7: Part Material Object Name: Part Material Description: Part material options as defined in the contract regarding the material origin of parts used on equipment assets. Function(s): Data: Rules: Select One per part. New Reconditioned Recovered Material Remanufactured Virgin Material Used Manufactured End Product BR-1 Related Object: Part Asset Page 8 DD-8: Employee Object Name: Employee Description: An employee of CNSD. Required to maintain employee information on full-time or contract workers located at a Site. Required to store and report information on an employee’s certifications, experience, and security clearances, if requested. Function(s): Data: Rules: Employee name, and employee ID must integrate with Deltek. Employee Name Employee Phone Employee Email Employee Type [Employee OR Sub-contractor] Employee Certifications (0:M) Employee Title Employee Security Clearance Level Doc Storage Items for Entity BR-2 DD-9: Employee Labor Object Name: Employee Labor Description: An employee’s labor associated with start/end/wait date/time on a work order along with the total site hours and overtime. Function(s): Entered on a Service Work Order and transmitted to Deltek Time & Expense. Data: Rules: Labor Date Labor Start Time Labor End Time Labor Wait Time Travel Time Total Site Hours Overtime/Emergency/Holiday Hours Specialty Labor Hours Comments (memo, 200 chars) Related Object: Employee DD-10: Service/Work Order Object Name: Service Order Description: A form containing work performed on an equipment asset. Must also be a standard report. Required to document all service calls and retain history records of such. Function(s): An Employee can CRU. An Admin can CRUD. Data: Urgency Level * [List] Order Type * [List] Report Date * Request Date Order Status * Part ID Page 9 Comments RMA Number Recommended Action Doc Storage items for Entity BR-3 Related Object: Order Type, Order Status, Equipment Asset, Part Asset, Site Location Area, Employee Rules: DD-11: Order Type Object Name: Order Type Description: A description of types of work performed on equipment and listed on a Service Order Function(s): Required: Select One from a pick list Preventative Maintenance Warranty Repair Upgrade/Enhancement New Install Tech Support Inspection BR-4 Data: Rules: DD-12: Order Status Object Name: Order Status Description: Allows CNSD to manage Service Orders and know where the work required to completion stands. Function(s): Required: Select One from the pick list Assigned In-progress Pending Closed (Completed) Cancel Deferred R-3 Related Object: Service Order. Data: Rules: DD- 13: Zone Object Name: Zone Description: A geographical area defined by the customer, which each zone containing many Sites. AKA Region. Function(s): Admin can CRUD. Data: Zone Name * Page 10 Rules: Site * (1:M) Task Order (1:M) Related Object: Site DD-13: Site Object Name: Site Description: A physical location where CNSD will manage its contract’s equipment assets. Function(s): Data: Rules: Admin can CRUD. Site Name * Zone or Region * Address * Related Objects: Contract, Site Contact, Site Location Area DD-14: Site Location Area Object Name: Site Location Area Description: Represents a specific location within a Site Function(s): Data: Rules: Admin can CRU Site Location Name * Location Description * Building Related Object: Site, Employee, Service Order, Equipment Asset, Part Asset DD-15: Site Contact Object Name: Site Contact Description: The point-of-contact person(s) at each Site, who is a government employee identified in the contract that CNSD must provide reports. Function(s): Data: Rules: Admin can CRUD SC Name * SC Phone * SC Email SC Title A site has one to many site contacts. Related Object: Site DD-16: Contract Object Name: Contract Description: Store basic information about the contract Function(s): Admin can CRUD Data: Contract Name Contract Number Page 11 Contract Start Contract End Related Object: Site, Customer Rules: DD-17: Customer Object Name: Customer Description: Describes the customer defined in the contract by its common name, such as IRS. In addition, allows for identifying the name of the Agency Owner who may not be the contracted customer, but is the Owner of an equipment asset. CNSD must ensure it performs work only for its contracted customer. Function(s): Admin can CRUD items Data: Customer Name * Agency Owner Related Object: Contract Rules: 1.37 Standard Reports ID REP-1 Report Name Service Order REP-2 Accomplishments REP-3 Progress Report REP-4 REP-7 Security Equipment Check Sheet Security Equipment Maintenance Logs Preventative Maintenance (PM) Accomplishments PM Plan REP-8 PM Deferments REP-9 Equipment Condition Report Equipment Inventory REP-5 REP-6 REP-10 Report Description Displays work performed on an equipment asset. Must submit report on all Closed service orders within two business days. Displays equipment added or deleted in the EAM during a time range. Submit Monthly. Include and display recent service call summary and preventative maintenance upcoming schedule. Display form containing checklist items based upon the equipment’s Device Type. Submit Monthly. Display form of equipment filtered by recent service dates. Submit Monthly. Display equipment-having PM performed by a date range. Submit Monthly. Display equipment designated to have PM performed within a timeframe. Submit Monthly. Display equipment placed on Deferred status found during PM. Display all equipment that is not operational, its defect, and timeframe to work completion. Submit Monthly. Display all equipment filtered by site, status, and date range. 1.38 Project Management CNB understands each vendor will bring its own methodology to the project, however, the EAM project must include: Configuration Evaluation/Design Documentation of Business Processes, including Business Process Flows Improvement recommendations Planning Page 12 Training (materials and hands-on training) 1.39 Key Deliverables Documented future-state processes based on best practices Installation/Configuration of Enterprise Asset Management System Training o Functional training for pre-selected employees o Online training opportunities within the solution based on each functional system area Technical Support Project plan including milestones and completion date Maintenance Agreement 1.40 Project Completion Criteria: CNSD management and IT management agree on a plan of action to accomplish system functionality and approve the system implementation. CNSD management reviewed for data accuracy, the implementation plan documented, and a fully configured system in operation. All customizations fully documented and transitioned to CNB IT support personnel. CNSD management sign-off on documentation, the project plan, and a functioning system in place. 1.4 Project Assumptions 1.41 Assumptions ID AS-1 AS-2 AS-3 AS-4 AS-5 AS-6 AS-7 AS-8 AS-9 AS-10 AS-11 AS-12 AS-13 Description Vendor shall integrate existing spreadsheet data of IT security assets into the solution. Provide role-based security within the solution. The solution shall be compatible with mobile devices, such as smart phones and tablets. The solution shall be available 99.9 percent uptime. The solution shall use the English language. Vendor shall provide planned system maintenance notification at least one week in advance. The solution shall function with multiple operating systems, such as Windows 7 and 8, iOS8. The solution shall be cross-browser compatible, such as IE8 and above, Safari, Chrome, and Fire Fox. The solution shall be available 24 hours, 7 days per week, 365 days per year. The Vendor shall be available for technical support 24 hours 7 days per week. The Vendor shall provide CNB a Disaster Recovery Plan (DCP) to assist CNSD in notifying its customers of any adverse incident for the system. Capability of data restores must occur within 24-hours of calendar time of system failure. CNB must be able to contact vendor direct for timely issue resolution and escalation, as needed. Page 13 ID AS-14 AS-13 AS-14 Description The English language shall be the official language used for communication concerning this project. United States currency shall be the official currency concerning this project. The solution will include Employee scheduling and items listed in DD-9, but Deltek will remain the main Human Resource application. 1.42 Dependencies ID DE-1 DE-2 Description Interface solution with AD for employee authentication to CNB/CNSD owned equipment. Interface solution with Deltek Time & Expense to communicate employee information such as type, time, labor, and skills. 1.43 Technical System must provide audit logging for all actions. System must auto-logoff after 30 minutes of inactivity. System must provide offline data entry. If solution is on premise, the system must support server virtualization, running on supported version of Microsoft server software. It must also support a robust integrated SQL database that will be centralized supporting all locations and business units. If solution is on premise, hardware for the production/test environment will be setup by CNSD and/or Enterprise Asset Management System will be setup by implementation vendor and CNSD. Also, CNSD will purchase any hardware requirement for production/test environments. Backup/recovery procedures will be performed by CNSD throughout the project to avoid loss of data. The capability for database restores to occur within 24 hours of calendar time of system failure will be in place The application must run over a wide area network (WAN). Timely access to the network and hardware environment will be provided by CNSD to the project team 24/7 to troubleshoot and resolve technology issues. CNSD should be able to contact vendor for timely issue resolution and escalation, as needed. System should offer quarterly system updates or patches, as required to address critical system issues. 1.44 Critical Success Factors Prompt resolution of issues and decisions Project deadlines met Harmonious relationships maintained among the project teams Top management support of the project team and implementation Committed project team of subject matter experts, augmented by business owners and IT personnel where necessary Clearly assigned accountability for project tasks Sufficient resources with appropriate segregation of duties committed to the project Timely Status updates by all team members Page 14 Structured Change Management Process Timely escalation of issues and missed project due dates Committed Sponsorship 1.45 Quality Assurance To ensure that the project team is executing the proposed project plan as submitted, CNSD retains the right to review and cancel the agreement after the project begins. In that event, CNSD will pay all reasonable and documented vendor costs in accordance with CNB’s Travel and Expense Policy up through the termination date with no further liability to vendor. CNSD retains the right to request replacement team members from the vendor and have a team member changed in a timely manner. The functional design and implementation plan requires the Business Owner and the Technical Owner to sign-off prior to completion of the design project. Project status including work complete, estimated time to completion, and missed due dates must be delivered to the steering committee on a weekly basis throughout the length of the project. An issue log must be created and maintained and a status report must be delivered weekly with number of issues resolved and new issues added. A Change Management process must be established with clear guidelines for requesting a change, approval necessary for change to be implemented, responsibility for change timeline, and determination of successful completion. 1.46 Risk Analysis Summary Risks for the design and implementation of the EAM system project include missing key deadlines and extending the implementation timeline. Risks and their potential impact should be identified in the design strategy. Documentation should cover both the impact of selecting or rejecting the design and implementation impacts. Risk assessment must recognize CNSD staff may or may not be knowledgeable in EAM system selected and guidance should be provided in risk issue identification. Additional Business Risks listed below: ID BR-1 Description Solution must include specific fields required by government customer to manage assets and reporting requirements or the government customer can opt not to pay for services rendered by CNSD. 1.5 Project Team and Responsibilities The Project Team will be vital to the overall project success. CNSD will assign the appropriate resources to meet the agreed upon schedule and deliverables. Page 15 To ensure that the project is on schedule and work is completed, weekly status meetings will be required from the Project Team and weekly status reports submitted to the appropriate project manager. Project status includes project outlook, brief overview, completion of assigned issues/deliverables, items that were planned but not accomplished, miscellaneous items, issues and concerns, key activities planned for the next week, and key dates, including time off. All issues/deliverables that have been noted as completed must be approved by the Business Owner and submitted at weekly status meetings for review and project team approval. The following matrix outlines the roles and their responsibilities; team members will be identified prior to start of work. Roles Project Partner(s) / Project Sponsor CNB IT Project Manager Project Consultant CNB Business Owners CNSD Subject Matter Experts (SMEs) Business Project Improvement Owner Business Process Specialists/Managers CNSD Technical Owner Responsibilities CNSD Executive(s) affected by each project will provide project approval, project funding, direction, sponsorship, and timely problem resolution. The project partner(s) and project sponsor will receive the weekly Project Executive Status Report and may periodically attend the steering council meetings. Responsible for the project plan, documenting meeting minutes and decisions, escalating issues and coordinating the utilization and proactive participation of the business resources, both within the project team and those involved outside the project team. Work closely with Implementation Partner in updating the overall project plan. Responsible for the overall success of the project by ensuring that the business requirements are fulfilled while facilitating documented process design, process changes, policy and procedures, testing, and training. Each major department or business entity affected by the project will assign a business owner that is responsible for assigning the correct business process specialists, making sure policy and procedures are completed and reviewed, ensuring high and dedicated performance from their assigned team members, and providing direction and guidance to their team members in the design and implementation phase. Each major department or business entity affected will assign the necessary team members to participate in the implementation effort. These individuals are specialized in one area or process and must have overall knowledge of the current processes, policy and procedures, etc to provide insight into current state design, future state design and completing assigned tasks in a timely manner. They may also assist with employee self-service training. Responsible for ensuring the correct personnel are available and performing to high and dedicated performance levels, as well as ensuring the current state/future state tasks are effective and remain on schedule Responsible for leading current state, future state design sessions, documenting process flows, business decisions, and gaining consensus on business processes. Responsible for assigning the correct technical team, ensuring technical infrastructure and system uptime meets operational Page 16 CNSD Technical Analyst requirements, ensuring dedicated performance from their assigned team members, and providing direction and guidance to their team members during the implementation process. Designated IT personnel who will perform hardware, architecture and network setup. Participate in the infrastructure review, in the business process documentation, in the implementation strategy, perform necessary development and assist with security design. 1.6 Project Resources Forecast 1.61 Hardware CNSD will provide computers and phone access for all project team members. CNSD will provide access to printers for all project team members. 1.62 Software It is assumed that CNSD project managers will have access to Microsoft Project. All CNSD project team members will have access to Microsoft Word, Excel, and PowerPoint. All CNSD and contractor project team members will have access to CNSD email (mainly for scheduling). 1.63 Office Space CNSD will provide a dedicated work environment for the project team throughout all of the phases of the implementation project. This includes workspace, meeting rooms and training space. 1.64 Security This work environment will include access to the appropriate CNSD environment, applications, networks, printers and other peripheral devices needed during the project. Contractors will have 24/7 access to workspace, including access to physical facilities if needed, and applicable environments for the duration of the design and implementation. 1.65 Outside Access CNSD will provide access to Internet and contractor networks, websites, and databases. 2.0 RFP General Information 2.1 RFP Overview The goal of this Request for Proposal (RFP) is to determine if your services meet the functional and technical needs of CNB. Please feel free to submit any additional information you deem appropriate for this project. Any CD-ROM/disk, and/or user documentation submitted with your proposal will be returned upon written request. All other materials provided will become the property of CNB and will not be returned to the vendor. Page 17 RFP submission is: Return bids are due no later than December 3, 2014 at 5:00PM and can be returned via email to Hossam Azar @hossam.azar@cnent.com. Bid responses will be held valid for 180 days from the December 3, 2014 due date. The attached “Vendor Security Questionnaire” document must be filled out in its entirety and returned via email with bid prior to bid closing date. Failure to return a copy of the Vendor Security Questionnaire document with all questions answered with bid prior to bid closing will result in disqualification of bid. Any questions must be submitted via email. No verbal questions will be responded to. RFP responses should include all requested information. This information will be held in confidence and will not be made available to other vendors. Likewise, the vendor agrees to hold in confidence any and all information included in this RFP and will not disclose to a third party any part of this RFP, except as necessary to generate a response to this RFP. CNSD reserves the right to issue one award, multiple awards or reject any or all responses. CNSD reserves the right to make partial awards, to award all work, to reject any and all bids, to waive any and all bid document requirements and to negotiate contract terms with the successful bidder, and the right to disregard all nonconforming, nonresponsive or conditional bids. Discrepancies between words and figures will be resolved in favor of words. Discrepancies between the indicated sum of any column of figures and the correct sum thereof will be resolved in favor of the correct sum. The vendor is responsible for all costs they incur in preparing their response to this RFP. The vendor may be asked to present their response on-site. Any questions regarding this RFP should be communicated via e-mail to Hossam Azar@cnent.com. A response will be returned as well as a copy of your question and its response will be posted on the Cherokeebids.org website within one business day or as soon as practicable. 2.2 RFP Format This RFP is distributed to selected vendors with the document name: CNSD EAM RFP 2.3 RFP Timetable The timetable below is subject to change, but if any modifications to the project time schedule are made, they will be communicated to all bidders in a timely manner. December 3, 2014 – Bid Responses Due to CNSD December 4, 2014 through December 30, 2014 – Vendor de-scope/interviews/system demos with CNSD project team December 31, 2014 - CNSD Final Selection January 2015 – Begin Contract Negotiation 2.4 Vendor Characteristics Outlined below, not necessarily in order of importance, are the high-level descriptions of criteria that will be looked for in evaluating proposals. Successfully implemented an Enterprise Asset Management System. Have a reputation for financial stability and operate a well-established and stable organization Page 18 Demonstrate an approach and design methodology compatible with the approach outlined in this document CNSD’s preference is a vendor with significant multiple company experience and clients Have a collaborative mindset that enables CNSD to effectively implement and support the process/application 2.5 Contractual Issues Upon award, Cherokee Nation Security & Defense and the vendor will negotiate a Consulting Services Agreement, Software License Agreement, Software Maintenance and/or Usage Agreement, as applicable, to arrive at mutually agreeable terms and conditions. All work products after award will become the property of CNSD. Vendor must contractually commit to all statements made in their RFP response. All statements in this document are considered in scope even if not identified in vendor documents. 2.6 Security and Control Specifications are included that summarize the level of security for confidential and sensitive information in applications and functions. Define what controls are provided to ensure the integrity and protection of data within the system. 2.7 Training Create customized training manual in PDF for CNSD staff by vendor. Vendor to provide hands-on system training for all CNSD staff and internal IT support prior to go-live. 2.8 Documentation Vendor must provide complete and thorough documentation that addresses any technical, configuration, development or functional change to the system. All customizations must be documented by vendor. All process and workflow creation/changes must be documented. In addition to change justification, the documentation must include a step by step change analysis with visual examples where appropriate. All changes must be mutually agreed to between vendor and CNB/CNSD. 2.9 Design Approach and Strategy Each potential vendor must describe in detail their design approach and strategy including a list of the key advantages of their methodology. In addition, the vendor must describe the deployment strategies for the automation of manual processes. 2.10 Roles and Responsibilities Each vendor must define the expected roles and responsibilities of their project team. This should be presented in table format indicating roles with their projected timeline. Page 19 2.11 Rejection of Bids CNSD reserves the right to reject any and all bids when such rejection is in the best interest of CNSD. All bids are received subject to this stipulation and CNSD reserves the right to decide which bid shall be deemed lowest and best. A violation of any of the following provisions by the bidder shall be sufficient reason for rejecting his bid, or shall make any Contract between CNSD and the Contractor that is based on his bid null and void: (i) divulging the information in said sealed bid to any person, other than those having a financial interest with him in said bid, until after bids have been opened; (ii) submission of a bid which is incomplete, unbalanced, obscure, incorrect, or which has conditional clauses, additions, or irregularities of any kind; (iii) which is not in compliance with this RFP; or (iv) which is made in collusion with another bidder. The foregoing list is nonexhaustive and CNB reserves the right to reject a bid or nullify any Contract between CNSD and the bidder that is based on his bid for any other reason it deems is in the best interest of the CNSD. 3.0 Current State 3.1 Enterprise Asset Management System (EAM) currently in use CNSD does not currently utilize an EAM. Most information is currently kept in Microsoft Excel documents. 4.0 Vendor’s Response to RFP 4.1 Format of Vendor’s Response Please follow the format described below. The RFP responses are to be submitted to Hossam Azar at the e-mail address provided in section 2.1 above. Responses to this RFP should address how all deliverables, features and requirements listed in the RFP shall be met. Where applicable, include which features/deliverables/requirements are standard, optional, or require a customization. Failing to include all documents may result in a disqualification of the RFP. CNSD may include the vendor's response to this RFP as an addendum to any potential contract. 4.2 Introduction and Vendor Background Please complete the following questions to provide CNSD with a thorough understanding of your company’s history and background. Tables are used to facilitate analysis of each vendor's product by standardizing the format of responses to each question. In the tables below, please answer all questions using the blank section under each question. 4.21 Management Summary Present the overall scope and projected cost of the proposed implementation effort, detailed by product. It should include a brief summary of the strategy in non-technical Page 20 terms. It should also state specific reasons why the vendor's proposal best satisfies the needs of CNSD. 4.22 Annual Report Provide a copy of the vendor's most recent annual report, if a public company. If an annual report is provided please reference it below as an attachment to this RFP; otherwise, a statement of financial stability by the vendor's independent auditors will be adequate. 4.23 Organization Chart Present a company organizational chart or other appropriate information to indicate the organization's ability to support the installation and maintenance and adapt to staffing changes. 4.24 Principals Identify the principals of the organization who would be responsible for overseeing all aspects of the proposed implementation. 4.25 Implementations Provide a list of the two most recent implementations. Included in this list should be a brief description of the functional enhancements and timelines for the implementation. 4.26 Team Members Provide names and resumes of all key personnel and the proposed project team members for review. 4.27 References Please identify three references that CNB can contact to discuss their project. In addition, please provide a list of customers comparable to CNB. 4.28 Vendor Questionnaire Information Requested Company Name: Year Founded: Number of Employees: Number of Offices: Primary Geographic Market Area: Primary Industry Market: Number of Years Implementing EAM: Number of Current/Past Clients Using this Version of the Response Page 21 Software: 4.29 RFP Contact Please provide the name, title, address and phone number of the person with whom all contact should be made concerning your response to the RFP. 4.3 Design Approach Please provide any additional information regarding your design experience for companies with similar challenges as CNSD. Tables are used to facilitate analysis of each vendor's product by standardizing the format of responses to each question. 4.31 Design Experience Describe what services are typically provided by you, the vendor, during the analysis and design processes. Describe the approximate staffing, by skill level, which you would recommend to assess, design, and implement both the functional and technical aspects of the implementation. Describe the approximate staffing and time commitment you suggest CNSD provide to assess and design the EAM system. Identify the number of personnel and skill level required by task. 4.4 Training Experience Describe all available training programs. Include name, description, objectives and training method. 4.5 Project Costs Vendor should provide hourly rates for their respective personnel. Please provide in detail a description and cost of the proposed evaluation, design, and upgrade project. These costs should include defining/implementing best practice business processes, analysis and design, testing, etc. A total estimation of time and cost is also required. It is possible that a de-scope meeting or clarifications be obtained after review of bid submission and bidder should be prepared to be responsive in accordance with the timeline provided. 4.6 Security Questionnaire Vendor must complete Security Questionnaire as part of RFP. 4.7 System Topology / Application Flow Vendor must provide system topology map and application flow as part of RFP. Page 22 4.8 RFP Certification The vendor must certify to the accuracy and completeness of all information included as a response to this RFP. In the space below, please include the signature and title of the principal in your organization with the authority to represent your products and the contents of your proposal. Printed name: Signature: Title: Date: Page 23 5.0 Definitions Term AD Description Active Directory Agency Owner The owner of the equipment asset, who is not a party to the Contract. CNSD must ensure it performs work only for its contracted customer. CDRL Contractor data requirements list CMMS Computerized maintenance management system. CNB CNSD Cherokee Nation Businesses, the parent company of CNSD. Cherokee Nation Security & Defense is part of the CNB family of companies. A formal and legally binding agreement between a government agency and CNSD. Contract COTS Commercial-off-the-shelf-software CRUD Acronym for Create, Read, Update or Delete functionality on specific fields. Describes the customer defined in the contract by its common name, such as IRS. Customer Deliverable Device Type EAM Employee Employee Labor Equipment Asset Equipment Status Impact Incident Any measurable, tangible, verifiable outcome, result, or item that must be produced to complete a project or part of a project Equipment’s Device Type determines the task order list performed on each equipment type. Enterprise Asset Management. The whole life optimal management of the physical assets of an organization to maximize value. A direct CNSD employee or its employee type, contractor, who is assigned a zone to manage equipment assets. An employee who provides service and charges their time worked on equipment assets. A government owned IT security asset being managed by CNSD in this project. Status showing if the equipment is operational, non-operational, damaged or missing. Quantitative assessment of the magnitude of loss or gain. If the identified risk were to occur, what is the impact it would have on the team’s ability to produce or maintain the deliverable? Scale rating: 1-3 low, 4 - 7 medium, 8 - 10 high. Any adverse event whereby some aspect of computer security could be threatened. Adverse events may include loss of data confidentiality, disruption of data or system integrity, disruption or denial of availability, loss of accountability, or damage to any part of the system. Page 24 Term Kitting Description Bundling different multiple parts together under a unique ID. Order Status Allows CNSD to manage Service Orders while knowing where the work required to completion stands in the cycle. Order Type A description of types of work performed on equipment assets and displayed on a Service Order. Part Assets are spare part inventory items installed on equipment assets. Part Assets may be bundled in a Kit and will be stored at multiple site locations. The likelihood of an occurrence. Part Asset Probability Risk The cumulative effect on the consequences of uncertain occurrences that may positively or negatively affect project objectives. SaaS Software as a Service Service Order A work order for providing service on equipment assets. Also listed as a report. A government agency location containing IT security equipment assets. Site Site Location Area Represents a location and area within a Site. Allows CNSD to describe the location of equipment assets in very large sites on IT equipment locations. TERO Tribal Employment Rights Office - Cherokee Nation – protects employment rights through monitoring and enforcing tribal TERO. Warranty Information about an equipment asset’s warranty, or not, and maintained within the EAM. A geographical area defined by the customer, which each zone containing many Sites. A.K.A. Region. Zone Page 25 6.0 Business Relationship/Non-Disclosure Page 26 BUSINESS RELATIONSHIP AFFIDAVIT STATE OF COUNTY OF ) ) ss. ) ___________________________________________, of lawful age, being first duly sworn, on oath states that the nature of any partnership, joint venture, or other business relationship presently in effect or which existed within one (1) year prior to the date of this statement with CNB or other party to the services provided under the Agreement is as follows: ______________________________________________________________________________ ______________________________________________________________________________ Affiant further states that any such business relationship presently in effect or which existed within one (1) year prior to the date of this statement between any officer or director of Consultant and any officer, director, manager or member of the Board of Directors of CNB or other party to the project is as follows: ______________________________________________________________________________ ______________________________________________________________________________ Affiant further states that the names of all persons having any such business relationships and the positions they hold with their respective companies or firms are as follows: ______________________________________________________________________________ ______________________________________________________________________________ Affiant further states that any family/relative relationships present between any officer, director or agent of Consultant and any officer, director, manager or member of the Board of Directors of CNB other party to the Agreement is as follows: ______________________________________________________________________________ ______________________________________________________________________________ Affiant further states that the names of all persons having any such family/relative relationships and the positions they hold with their respective companies or firms are as follows: ______________________________________________________________________________ ______________________________________________________________________________ (If none of the business relationships hereinabove mentioned exist, affiant should so state.) _______________________________________ Subscribed and sworn to before me this __________ day of ______________________ 20__. _______________________________________ Notary Public My Commission Expires: ____________________ Page 27 NON-COLLUSION AFFIDAVIT STATE OF COUNTY OF ) ) ss. ) , of lawful age, being first duly sworn, on oath says that (s)he is the agent authorized by the bidder to submit the attached bid. Affiant further states that the bidder has not been a party to any collusion among bidders in restraint of freedom of competition by agreement to bid at a fixed price or to refrain from bidding; or with any Cherokee Nation Security & Defense, L.L.C. employee as to quantity, quality or price in the prospective Contract, or any other terms of said prospective Contract; or in any discussions between bidders and any Cherokee Nation Security & Defense, L.L.C. official concerning exchange of money or other thing of value for special consideration in the letting of a Contract. Signed: __________________________________ TITLE: ___________________________________ Subscribed and sworn to before me this _________ day of _________________________, 20__. ____________________________________ Notary Public Page 28 AGREEMENT # NON-DISCLOSURE AGREEMENT Cherokee Nation Security & Defense, L.L.C., with offices at 777 W. Cherokee St., Catoosa, OK 74015 (“CNSD”) and ___________________________________________________________________ with offices at _____________________________________________________ (“Company”), in consideration of the mutual covenants of this Non-disclosure Agreement (“Agreement”), hereby agrees as follows: 1. In connection with discussions and/or negotiations between the parties regarding potential business transactions and relationships ("Subject Matter"), each party to this Agreement may wish to disclose its proprietary or trade secret information ("Information") to the other party on a confidential basis. The disclosing party may consider such Information proprietary under this Agreement either because it has developed the Information internally, or because it has received the Information subject to a continuing obligation to maintain the confidentiality of the Information, or because of other reasons. The disclosing party may consider such Information as a trade secret because such Information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertained by proper means by, other persons who can obtain economic value from its disclosure or use. 2. When Information deemed to be proprietary or trade secret is furnished in a tangible form, including electronic mail, the disclosing party shall clearly mark the Information in a manner to indicate that it is considered proprietary, confidential, trade secret or otherwise subject to limited distribution as provided herein. When Information deemed to be proprietary is provided orally, including information conveyed to an answering machine, voice mail box or similar medium, the disclosing party shall, at the time of disclosure, clearly identify the Information as being proprietary or confidential or otherwise subject to limited distribution as provided herein. If the disclosing party fails to identify Information as confidential, such disclosing party may correct the omission by later notice consisting of a writing or statement, and the recipient shall only be liable for unauthorized disclosures of such Information made subsequent to said notice. In addition, the existence and terms of this Agreement, and the fact and substance of discussions and correspondence between the parties concerning goods or services, shall be deemed proprietary Information. 3. With respect to Information disclosed under this Agreement, the party receiving Information shall: a. hold the Information in confidence, exercising a degree of care not less than the care used by receiving party to protect its own proprietary or confidential information that it does not wish to disclose; b. restrict disclosure of the Information solely to those directors, officers, employees, affiliates, and/or agents/consultants, including either party’s ability to disclose to commercial lenders, and the Chief and Tribal Council of the Cherokee Nation, with a need to know and not disclose it to any other person; c. advise those persons to whom the Information was disclosed of their obligations with respect to the Information; and, d. use the Information only in connection with continuing discussions by the parties concerning the Subject Matter, except as may otherwise be mutually agreed upon in writing; and e. except for the purposes of evaluating the Subject Matter, not copy or distribute such Information or knowingly allow anyone else to copy or distribute such Information, and any and all copies shall Page 29 bear the same notices or legends, if any, as the originals. 4. The Information shall be deemed the property of the disclosing party and, upon request, the other party will return all Information received in tangible form (and marked proprietary or confidential) to the disclosing party or will destroy or erase if such Information is recorded on an erasable storage medium, all such Information at the disclosing party's direction, and certify to the disclosing party the Information has been destroyed or erased. If either party loses or makes an unauthorized disclosure of the other party's Information, it shall notify such other party immediately and use reasonable efforts to retrieve the lost or wrongfully disclosed Information. 5. In the event a party or its affiliate(s) makes an unauthorized disclosure, such party shall indemnify the aggrieved party, including the aggrieved party’s officers, directors, managers, agents and/or employees for any loss proximately arising from such disclosure. 6. The party to whom Information is disclosed shall have no obligation to preserve the proprietary nature of any Information which: a. was previously known to such party free of any obligation to keep it confidential; b. is or becomes publicly available by other than unauthorized disclosure; c. is developed by or on behalf of such party independent of any Information furnished under this Agreement; d. is received from a third party whose disclosure does not violate any confidentiality obligation; or e. is disclosed pursuant to the requirement or request of a duly empowered governmental agency or court of competent jurisdiction to the extent such disclosure is required by a valid law, regulation or court order, and sufficient notice is given by the recipient to the disclosing party of any such requirement or request to permit the disclosing party to seek an appropriate protective order or exemption from such requirement or request, unless such notice is prohibited by said order. 7. Neither this Agreement, nor the disclosure of Information under this Agreement, nor the ongoing discussions and correspondence between the parties, shall constitute or imply a commitment or binding obligation between the parties or their respective affiliated companies, if any, regarding the Subject Matter. If, in the future, the parties elect to enter into a binding commitment regarding the Subject Matter, such commitment will be explicitly stated in a separate written agreement executed by both parties, and the parties hereby affirm that they do not intend their discussions, correspondence, and other activities to be construed as forming a contract regarding the Subject Matter or any other transaction between them without execution of such separate written agreement. 8. This Agreement may not be assigned by either party without the prior written consent of the other party, except that no consent is necessary for either party to assign this Agreement to a corporation succeeding to substantially all the assets or business of such party whether by merger, consolidation, acquisition or otherwise. This Agreement shall benefit and be binding upon the parties hereto and their respective successors and permitted assigns. 9. The parties acknowledge that they have had an adequate opportunity to review this Agreement and to consult legal counsel knowledgeable in Federal Indian Law and Cherokee Nation Law regarding the Page 30 legal effect of this Agreement. This Agreement and any disputes arising out of, or relating to, this Agreement shall be governed by the laws of the Cherokee Nation of Oklahoma. 10. This Agreement shall become effective as of the date set forth below (“Effective Date”). Disclosure of Information between the parties under this Agreement may take place for a period (the “Information Disclosure Period”) of two (2) years after the Effective Date. The obligations of the parties contained in Paragraphs 3 and 4 shall survive and continue beyond the expiration of the Information Disclosure Period indefinitely with regard to Information designated as a trade secret by disclosing party and for a period of three (3) years with regard to all other Information. 11. The parties acknowledge that in the event of an unauthorized disclosure, the damages incurred by a non-disclosing party may be difficult if not impossible to ascertain, and that such non-disclosing party may seek injunctive relief as well as monetary damages against a party that breaches this Agreement. 12. This Agreement constitutes the entire understanding between the parties with respect to the Subject Matter provided hereunder and supersedes all proposals and prior agreements (oral or written) between the parties relating to the confidential nature of the Information provided hereunder. No amendment or modification of this Agreement shall be valid or binding on the parties unless made in writing and executed on behalf of each party by its duly authorized representative. 13. Neither party: a. is responsible or liable for any business decisions made or inferences drawn by the other party in reliance on this Agreement or in reliance on actions taken or disclosures made pursuant to this Agreement; b. shall be liable to or through the other hereunder for amounts representing loss of profits, loss of business, or special, indirect, consequential, or punitive damages. 14. NOTWITHSTANDING ANYTHING IN THIS AGREEMENT TO THE CONTRARY, NEITHER DISCLOSING PARTY MAKES ANY REPRESENTATIONS OR WARRANTIES OF ANY NATURE WHATSOEVER WITH RESPECT TO ANY INFORMATION DISCLOSED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR AGAINST INFRINGEMENT. 15. The parties acknowledge that this Agreement does not restrict the ability of the parties to engage in their respective businesses, nor does it limit either party's use or application of any information or knowledge acquired independently of the other without a breach of this Agreement in the course of such party's business. 16. The recipient represents and warrants that no technical data furnished to it by the disclosing party will be exported from the United States, including but not limited to disclosing technical data to a foreign firm, foreign government or foreign national who is not lawfully admitted to the United States as a permanent resident, without first complying with all requirements of the International Traffic in Arms Regulations and the Export Administration Act, including the requirement for obtaining any export license or other approval, if applicable. The recipient shall first obtain the written consent of the disclosing party prior to submitting any request for authority to export any such technical data. Page 31 17. This Agreement may be executed in one or more counterparts each of which shall be deemed an original, but all of which together shall constitute one and the same agreement. Facsimile signatures to this Agreement shall be deemed to be binding upon the parties. Each party represents that it has caused this Agreement to be executed on its behalf as of the date written below by a representative empowered to bind that party with respect to the undertakings and obligations contained herein. Executed and effective this ____________ day of _______________________ 2014. COMPANY: _______________________________________________ CHEROKEE NATION SECURITY & DEFENSE, L.L.C. (SIGNATURE) (SIGNATURE) (PRINT NAME) Russell Claybrook (PRINT NAME) (TITLE) President (TITLE) Page 32 Federal FAR/IRSAP Flow-down Provisions The Federal Acquisition Regulation (FAR) and Internal Revenue Service Acquisition Procedures (IRSAP) clauses, unless the context of the clause requires otherwise, referenced herein are incorporated by reference with the same force and effect as if provided in full text. The intent for referenced clauses is to apply to Seller the necessary requirements of Buyer’s obligations and Prime Agreement with the U.S. Federal Government reflecting Seller’s position as subcontractor to Buyer. Full Text for each FAR clause is available for review at: http://farsite.hill.af.mil/VFFARA.HTM. Specific FAR’s / IRSAP’s are made applicable based on the types of material, services, and/or subcontract purchases involved. Applicable to the clauses incorporated by reference below: 1. Substitute “CNSD” for “Government” or “United States” throughout the clauses where appropriate. 2. Substitute “CNSD Procurement Representative” for “Contracting Officer”, “Administrative Contracting Officer”, and “ACO” in the clauses. 3. Communication/notification required under these clauses from/to the Contractor to/from the Contracting Officer shall be through CNSD. Regulatory Cite 52-203-6 52-203-13 52.207-3 52.209-9 52.211-5 52.215-5 52.219-8 52.222-3 52.222-17 52.222-19 52.222-21 52.222-26 52.222-35 52.222-36 52.222-37 52.222-40 52.222-41 52.222-43 52.222-50 52.222-54 52.225-13 52.245-1 52.247-64 1052.203-9000 1052.204-9001 1052.204-9002 1052.204-9005 1052.239-9008 1052.239-9010 Title RESTRICTIONS ON SUBCONTRACTOR SALES TO THE GOVERNMENT CONTRACTOR CODE OF BUSINESS ETHICS AND CONDUCT RIGHT OF FIRST REFUSAL OF EMPLOYMENT UPDATES OF PUBLICLYAVAILABLE INFORMATION REGARDING RESPONSIBILITY MATTERS MATERIAL REQUIREMENTS CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS – COMMERCIAL ITEMS UTILIZATION OF SMALL BUSINESS CONCERNS CONVICT LABOR NONDISPLACEMENT OF QUALIFIED WORKERS CHILD LABOR—COOPERATION WITH AUTHORITIES AND REMEDIES PROHIBITION OF SEGREGATED FACILITIES EQUAL OPPORTUNITY EQUAL OPPORTUNITY FOR VETERANS AFFIRMATIVE ACTION FOR WORKERS WITH DISABILITIES EMPLOYMENT REPORTS ON VETERANS NOTIFICATION OF EMPLOYEE RIGHTS UNDER THE NATIONAL LABOR RELATIONS ACT SERVICE CONTRACT ACT OF 1965 FAIR LABOR STANDARDS ACT AND SERVICE CONTRACT ACT – PRICE ADJUSTMENT (MULTIPLE YEAR AND OPTION CONTRACTS) COMBATING TRAFFICKING IN PERSONS EMPLOYMENT ELIGIBILITY VERIFICATION RESTRICTIONS ON CERTAIN FOREIGN PURCHASES GOVERNMENT PROPERTY PREFERENCE FOR PRIVATELY-OWNED U.S. FLAG COMMERCIAL VESSELS NEWS RELEASES AND ADVERTISEMENTS INDENTIFICATION/BADGING REQUIREMENTS PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL SUBMISSION OF SECURITY FORMS AND RELATED MATERIALS SECTION 508 INFORMATION, DOCUMENTATION AND SUPPORT SECTION 508 SERVICES Page 33 Date SEPT/200 6 APR/2010 MAY/2006 FEB/2012 AUG/2000 JAN/2013 DEC/2010 JUN/2003 JAN/2013 MAR/2012 FEB/1999 MAR/2007 SEP/2010 OCT/2010 SEP/2010 DEC/2010 NOV/2007 SEP/2009 FEB/2009 JUL/2012 JUN/2008 APR/2012 FEB/2006 JUN/2005 MAR/1998 OCT/2005 AUG/2010 SEP/2006 SEP/2006 APPLICABLE GOVERNMENT AND SECURITY REGULATIONS Internal Revenue Service Acquisition Procedure (IRSAP) v. 2 Revenue Manual (IRM) 10.2.1, Physical Security, The Physical Security Program, dated September 18, 2008 Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, P.L. 107-347 OMB Circular No. A-130, Security of Federal Automated Information Resources Appendix III. Federal Travel Regulation (FTR) 41 Code of Federal Regulations (CFR), Chapters 300 through 304 The National Electric Code (NEC), BOCA, Underwriters Laboratories (UL), NACMA, Federal Information Processing Standard 175: Federal Building Standard for Telecommunication Pathways and Spaces (see Electronic Industries Association (EIA/TIA Standard 568-A and related bulletins). Federal Information Processing Standard 174-1: Federal Building Telecommunications Wiring Standard (see also Electronic Industries Association EIA/TIA Standard 569 and related bulletins) OMB Circular No. A-130, Security of Federal Automated Information Resources Appendix III. http://www.wiringproducts.com/index1.html?lang=enus&target=d47.html&gclid=CLm0nZ__kpcCFSCysgodfBS8Tg GSA/PBS Operations and Maintenance Standards and Technical Exhibit Federal Information Security Management Act (FISMA) OMB Circular policy M-06-16, Protection of Sensitive Agency Information NIST Special Publication 800-53 Security Controls OMB Circular Policy M-06-15, Safeguarding Personally Identifiable Information (PII), Policy M-06-19 Reporting Incidents Involving Personally Identifiable Information. INTERNAL REVENUE MANUAL (IRM) 10.8.1 Federal Information Security Management Act (FISMA), E-Government Act of 2002, The Privacy Act of 1974 OMB Circular A-130, Management of Federal Information Resources. OMB Policy M-06-16. National Institute of Standards and Technology (NIST). NIST Special Publication 800-53, Recommended Security Controls for Federal Information / NIST 800-53A and Revision 1, FIPS 200 Minimum Security Requirements for Federal Information and Information Systems. NIST special publication 800 Series Federal Information Processing Standards (FIPS) for computer security. Information Technology (IT) Security standards and policies. IRM Handbook 1.23.2, Section 2 Page 34 General Security Questionnaire For System Applications 1. What is used to store end user account information? a. MS SQL database? i. Is Password Rotation Supported? ii. Is Password Complexity Supported? iii. Are previously used passwords stored so they cannot be reused? iv. What method is applied to the passwords before storing? E.g. Encoding, Hashing, Encryption? 1. If Encoding a. What is the need to have the password reversed? b. What is the timeline to have it changed to Hashing? 2. If Hashing a. Is a salt used? b. What algorithm is used? 3. If Encryption a. What encryption is used? b. What key strength? c. What is the need to have the password reversed? d. What is the timeline to have it changed to Hashing? 4. Other method not listed? Explain: b. Active Directory? i. Can Active Directory Groups be used to limit access to who can run the application? ii. Can Active Directory Groups be used to limit access to certain applications functions 1. Example, one user can make entries, but it takes another level of authorization from a manger to change entries. iii. If no on Active Directory, will the vendor modify the application to use Active Directory? c. Cloud? i. If cloud storage, where is the data geographically located? ii. Are any subcontractors located outside the US? iii. Are any employee’s or subcontractor employees not US citizens? d. If not MS SQL or AD or Cloud, what is used for user account storage? i. If cloud storage, where is the data geographically located? ii. Are any subcontractors located outside the US? iii. Are any employee’s or subcontractor employees not US citizens? 2. Does the application use a backend Database for storing data? a. What database system is used? MS SQL, Oracle, Cloud, etc. i. What version? Page 35 1. If not the latest version, what is the timeline on getting to the latest version? b. Is any confidential (PCI, PII, HIPPA, other) data stored in the database? i. Is encryption used to protect confidential data? ii. Is any of the data regulated by any compliance or authority? c. Is any Database archiving done? i. If yes. 1. What is the security applied to the Archive? 2. Is any encrypted data decrypted for the archive? 3. Is the archive stored in a location that is hardened as much as the live database? 3. How is an audit trail generated for activity? a. Where is the audit trail stored? i. MS SQL? ii. Offsite at the vendor (cloud)? iii. Local log files on the client? iv. Archived PDF Documents? b. How long is the audit trail stored? c. Is any confidential information stored in the audit trail? d. Is any encryption used on the audit trail storage? e. Does the audit trail contain i. Date/time of alteration. ii. User that performed alteration. iii. Parameter altered iv. Value prior to alteration v. Value after alteration f. How do we view the audit trail? 4. Does the application need Internet Connectivity? a. If yes, is the communication over SSL? b. If yes, what data is being pulled/sent to the Internet? 5. After installation, does any part of subsystem of the application require Windows Local Administrator Rights to run? a. If yes, is the vendor willing to correct this flaw? 6. How does the client application talk to the server backend? E.g. Direct connection to a database, through web/app service, etc. a. If direct connection to DB, Does the client use Ad Hoc or Stored Procedures? i. If Ad Hoc at all, can application run on just stored procedures? b. If direct connection to DB, what authentication method? E.g. DB/Local User or Windows Integrated. i. If DB/Local User, how are credentials stored on client? 1. Are they encrypted? Page 36 ii. If DB/Local User, what connection client is used? ODBC, SQL Native, etc. 7. Is any encryption used in communications between machines in the system? E.g. Between client and server, between application server and database server. a. If no, can it be implemented? b. If yes, which communication channels and what level of encryption and algorithm are used? E.g. Client to Server- AES256, Client to Web Server - SSLv3 2048 8. Does any part of the backend system require a console application to be left running in the background on the “server” at all times? a. What is the timeline to correct this defect? 9. Do the client workstations run in kiosk mode (1 generic user logged into machine, many users log into application) or can the application run under the logged in user with any valid user logging into the machine? a. If yes to kiosk mode, can the application be changed to allow running under any logged in user? 10. Is alerting supported on “odd” behavior? E.g. anything that falls outside of a configurable threshold on the system or unusual activity that goes outside of a normal process. a. What kind of alerting or mitigating measures can be used in the event of such behavior or threshold breach? 11. Is any form of file share required (on client or server) for the application to operate? a. If yes, what levels of permissions are required and who will need them? 12. If using a Database, are the DB vendors (Microsoft/Oracle/etc) Best Practices for securing the database server followed? In other words, if a server was set up with Best Practice guidelines, does any of it need to be “loosened” in order for the application to work? 13. Are the Client/Server Operating System (OS) vendors Best Practices for securing the OS in its particular role followed? 14. Is regular patching of the Client and Server OS with the latest vendor patches and service packs supported? 15. Is regular patching of the Database Server with the latest vendor’s patches and service packs supported? 16. Does the application meet all required regulatory compliances? E.g. TICS, PCI, HIPPA, ITAR, etc.? Page 37 Page 38
