Inactive Total Small Business Set-Aside (FAR 19.5)

CHANGE TRACKER LICENSES

Inactive

THIS IS NOT A SOLICITATION FOR PROPOSALS. THIS IS A SOURCES SOUGHT SYNOPSIS ONLY This Request for information (RFI) is for the purpose of identifying companies that can meet the following Bureau of Re... THIS IS NOT A SOLICITATION FOR PROPOSALS. THIS IS A SOURCES SOUGHT SYNOPSIS ONLY This Request for information (RFI) is for the purpose of identifying companies that can meet the following Bureau of Reclamation Requirements. Sample Product Meeting Criteria: Change Tracker or Equal • AC-7 Unsuccessful Logon Attempts • AC-12 Session Termination • AU-2 Audit Events • CA-2 Security Assessments • CA-7 Continuous Monitoring • CM-2 Baseline Configuration • CM-3 Configuration Change Control • CM-6 Configuration Settings • IR-4 Incident Handling • MA-2 Controlled Maintenance • MP-2 Media Access • MP-5 Media Transport • RA-5 Vulnerability Scanning • SA-8 Security Engineering Principles • SA-10 Developer Configuration Management • SC-7 Boundary Protection • SC-8 Transmission Confidentiality and Integrity • SI-3 Malicious Code Protection • SI-4 Information System Monitoring • SI-7 Software, Firmware, and Information Integrity And NERC-CIP Controls: • CIP-003-5 Security Management Controls • CIP-005-5 Electronic Security Perimeter(S) • CIP-007-5 Systems Security Management • CIP-008-5 Incident Reporting and Response Planning • CIP-010-1 Configuration Change Management and Vulnerability Assessments • CIP-011-1 Information Protection A successful product must monitor the following Information System components or characteristics: • files, file contents, file attributes and folder structures • file secure hash value • running processes (checked against blacklists and whitelists) • Windows registry keys and values • installed applications and patches • local and domain user accounts • services' startup and running states • windows audit and security policy settings, including • configuration settings for audit and security policy, including NIST STIG and custom baselines • command line process output, for example a netstat query • open network ports, both UDP and TCP scanned externally on a scheduled basis (checked against blacklists and whitelists) • enforces CIS Benchmark Checklists or NIST STIGs or complete NIST 800-53 control settings for vulnerability assessment and mitigation Additional requirements: • SIEM alerting integration using outgoing syslog and/or SNMP traps • Logging of username and process used to make file changes • Low bandwidth utilization for sites connected via leased lines • Secure management and storage meeting current NIST standards for password requirements, password age, account disablement, and logging Must Accommodate: • 70 servers or network devices • 65 desktop devices • 2 offline, disconnected, on-premises consoles providing all requisite management, deployment, reporting capabilities using a GUI and/or web interface compatible with Internet Explorer 10 or newer Platform Compatibility: • Windows versions including Server 2016 and Windows 10, XP, 2003/R2, Windows 7, Windows 8/8.1, 2008R2, 2012/R2 • Linux including CentOS, RedHat, and RHEL 5 • VMWare, all versions including ESXi • Database Systems, including Oracle, SQL Server, My SQL • Network Devices and Appliances from Cisco, Fortinet, and Checkpoint Support from vendor of said product or products must include: • Security updates for at least 3 years from purchase • Full documentation for system setup and ports • Training or configuration assistance, online or onsite, as needed • Provide 24x7 online, email, or phone hardware and software support, as applicable • Ability to purchase support on a continuing basis - may be satisfied on a perpetual or subscription basis This RFI shall not be considered as a request for proposal or as an obligation on the part of the Government to acquire any products or services. No entitlement to payment of direct or indirect costs or charges by the Government will arise as a result of the contractor submission of this RFI or the Government's use of such information. The Government reserves the right to reject, in whole or in part, any contractor's input resulting from this RFI. No contract will be awarded as a result of this announcement. Data submitted in response to this RFI will not be returned. INSTRUCTION FOR RFI SUBMISSION: After review of this information, interested parties may submit a response in an electronic format via email to Christina Mohamed cmohamed@usbr.gov no later than January 31, 2019 11:00 AM MDT. Electronic files should be in Microsoft Office Word or PDF format. All information should be UNCLASSIFIED material only. Respondents should include as part of their submission: a. A synopsis of the company's capabilities in this area. b. GSA Number/NASA SEWP Number (or both) if applicable c. DUNS Number d. Company Name e. Company Address f. Business size, SDVOSB, HUBZone, or Woman owned status, as validated via the System for Award Administration (SAM). All offers must register on the SAM located at http://www.SAM.gov g. Company point of contact, phone and email address. h. Past work experience. If you have experience working with other Federal Agencies and/or commercial businesses of similar size and scope, please include agency and/or business name contract number (if applicable), amount and type of contract (e.g. FFP, T&M, Labor hour etc). Any company proprietary information must be marked as such, the RFI information should not exceed a total of 10 one-sided 8 1/2x11 pages, with one inch margins, and font no smaller than 12 point.