I. Introduction
The purpose of this RFI is to assist the Government in conducting market research focused on identifying capable GSA VETS 2 contract holders for this requirement. This information will be used for market research only. The Government is not obligated to release a future solicitation. This RFI does NOT constitute a Request for Proposal and is not to be construed as a commitment, implied or otherwise, by the Government that a procurement action will be issued. No telephone inquiries will be accepted and requests for solicitation packages will not be honored, as no solicitation is intended at this time. Response to this notice is not a request to be added to a bidders list or to receive a copy of a solicitation. No entitlement to payment of direct or indirect costs or charges by the Government will arise as a result of the submission of the requested information. No reimbursement will be made for any costs associated with providing information in response to this announcement and any follow up information requests. Responses to this RFI may be considered in the future determination of an appropriate acquisition strategy for the program. The Government may not respond to any specific questions or comments submitted in response to this RFI or information provided as a result of this request.
Any information submitted by respondents as a result of this notice is strictly voluntary.
II. PROGRAM BACKGROUND
The National Science Foundation (NSF) Office of Polar Programs (OPP) Antarctic Infrastructure and Logistics Section (AIL) manages the United States Antarctic Program (USAP) which carries forward the Nation's goals of supporting the Antarctic Treaty, fostering cooperative research with other nations, protecting the Antarctic environment, and developing measures to ensure only equitable and wise use of resources. Through the NSF Antarctic Support Contract (ASC) with Leidos as prime, AIL implements the USAP General Support System (USAP GSS) information technology infrastructure to support its operations. The USAP prime contractor manages a centralized logging capability that collects log data from a subset of devices at USAP operating locations. The USAP GSS includes approximately 4000 endpoints. The USAP prime contractor manages a centralized logging capability that collects log data from a subset of devices at all USAP operating locations.
III. PURPOSE
The purpose of this requirement is to provide a managed security services to safeguard USAP networks and systems against ever-evolving security threats. A Managed Security Services (MSS) delivers managed detection and response (MDR) services which include security incident and event management (SIEM), logging and alerting of endpoints, email, web sites, networks, anti-virus, antimalware/ spyware, intrusion detection, and security event management, and capabilities such as authentication. Services identified as part of this RFI will support the mission need of AIL located in Alexandria, VA, and its USAP CONUS and OCONUS operating locations.
IV. SCOPE
The scope of this requirement is to provide a FISMA, OMB, and NIST compliant Managed Security Services and Managed Detection & Response for the USAP GSS, a Moderate impact system. The contractor shall provide and manage their own hardware, software, and telecommunications connectivity to implement the required capabilities for the USAP network. This includes providing and managing their own staff and their own operating locations. The deployment and operation of the monitoring capabilities shall be coordinated with AIL and other USAP organizations as designated by AIL, such as the current Antarctic Support Contract holder, Leidos ASC. All MSSP-provided cloud computing services must have and retain an Authorization To Operate (ATO) from the Federal Risk and Authorization Management Program (FedRAMP) for the duration of the contract. All cloud computing services must adhere to the terms and conditions as specified in NSF320 CLOUD SERVICE SECURITY REQUIREMENTS FOR SERVICES CONTRACTED BY THE NATIONAL SCIENCE FOUNDATION (MAY 2019). The MSSP will establish and maintain an environment that is specific to NSF data and does not mingle NSF data with any other federal agency or any other customer. NSF will not be a FedRAMP sponsor for any cloud computing services.
V. TASKS
NSF/AIL requires Managed Security Services and Managed Detection & Response to safeguard USAP networks and systems against ever-evolving security threats. MSS/MDR services enhance existing protection of endpoints, email, web, and networks, and includes capabilities such as authentication, antivirus, anti-malware/spyware, intrusion detection, and incident response.
The contractor shall ingest USAP GSS log data and analyze that log data to provide up-to-date situational awareness of network security services, devices, and resources associated with MSS, including, but not limited to:
- MSSP Implementation Project Management
- MSSP Telecommunications Connectivity Services
- Technical Services and Capabilities
- Managed Detection and Response (MDR) Services
- Incident Response Service (INRS)
- MSSP SIEM Log Ingestion
- MSSP SIEM Dashboards and Reporting
NSF envisions the following tasks may be part of a possible future acquisition and are detailed below:
a) Task 1 Program Management
b) Task 2 Real-Time Monitoring and Alerting
c) Task 3 Incident Response and Management Support
d) Task 4 Log Collection and Analysis
e) Task 5 Compliance
f) Task 6 Reporting
g) Task 7 Cloud Service Monitoring
h) Task 8 Custom Security Rules
Task 1 Program Management Support
The contractor shall provide program management support under this requirement. This includes the management and oversight of all activities performed by contractor personnel, including subcontractors, to satisfy the requirements.
Because of the nature of a MSSP, the NSF will require a specific program manager to facilitate analysis of events & log data, troubleshoot, and support the NSF and ASC resources with the implementation of the product. Furthermore, the MSSP contact must be able to provide actionable remediation recommendations to the NSF and ASC based on the specific regulatory needs of the organization. In addition to the requirements set forth below, the NSF requires the MSSP to designate a program manager for the entire duration of the contract. The MSSP program manager will participate in quarterly status meetings, provide the NSF and the ASC with SLA and other reports and escalate any issues according to defined escalation procedures, etc.
Task 2 Real-Time Monitoring
The USAP seeks a service provider who can add value to security information and log management by assessing real-time data (REAL-TIME MONITORING TIER) and stored logs (LOG COLLECTION AND ANALYSIS TIER) to add context to incident identification and response. Each service tier shall be quoted.
The MSSP must operate a Security Operations Center(s) (SOC) that operates 24 hours a day, 7 days per week. The SOC engineers shall be reachable by telephone and e-mail. The MSSP shall provide authorized NSF and ASC administration access to a web based SOC portal in order to obtain on-demand, real time views of USAP GSS monitored devices.
Task 3 Incident Response and Management Support
The contractor shall support USAP GSS incident response and management activities conducted by AIL through Leidos. The contractor shall record all incidents in an issue tracking system and make such system available to appropriate NSF and ASC personnel. Individual contacts should be able to obtain real time and historical performance data for all monitored devices. They are also the primary contacts for the Managed Security Service Provider (MSSP) in case of security incidents, monitored device outages or scheduled maintenance notifications.
Tash 4 Log Collection and Analysis
The contractor shall provide real-time monitoring, event correlation, and analysis. Ingest aggregated log aggregation data provided by the ASC and provide collection, retention, archival and analysis of such for compliance reporting and vulnerability/exploit remediation recommendations. Regular inspection of collected log data is required with special attention given to identifying evidence of privilege escalation and unauthorized creation of accounts.
Log collection requirements shall include the acquisition of all log data and the retention of that data for 18 months, even after review and reporting, to meet the NSFs auditing and compliance needs.
Task 5 Compliance
The contractor shall adjust and update processes and procedures to comply with the latest guidance from OMB, NIST, etc. The contractor shall provide the capability to monitor the regulatory environment and make adjustments to this requirement.
Task 6 Reporting
The contractor shall provide periodic, on-demand, and ad-hoc reporting abilities to view the collected data and provide analysis and suggest classification in a context relevant to compliance with NIST standards. The MSSP should also be able to provide a streamlined process for generating reports in anticipation for risk assessments and audits where required.
Task 7 Cloud Service Monitoring
The ASC is in the initial stages of migrating networking services to the cloud. The contractor shall provide services to monitor both the current network hub location (Denver CO) as well as the future cloud service provider. This includes monitoring user and administrator access, behavior, and API access.
Task 8 Custom Security Rules
The contractor shall allow for the creation of custom, user-defined security rules based on the specific information security policies of the NSF, ASC, and other USAP network users. These rules should be easily accessible for creation, viewing, modification, and maintenance.
V. Contract Type and Government Estimate
The Government anticipates awarding an Firm Fixed Price (FFP). Task Order. The current estimated cost for this requirement is $15 million.
VI. Questionnaires
Complete the following questionnaire as outlined below:
- Responses should be submitted electronically via email only to the Contracting Officer (CO), Keisha Benford (kbenford@nsf.gov. Use the attached questionnaire to provide the requested information (no substitutions, additions, or deletions)
- All responses are to use Times New Roman font, with a 12-point font, and 1-inch margins, single spaced in all sections.
- Section I, Table 1: Corporate Overview shall be no longer than 2 pages in length.
- Section II, Table 2: Corporate Experience shall be no longer than 6 pages in length (2 pages for each example of Corporate Experience). All provided corporate experience references must be or have been performed by the respondent as a Prime contractor. If the referenced experience is part of a larger contract, clearly differentiate the work and cost of that work that only relates to the requirements provided in this RFI.
- All information submitted shall be UNCLASSIFIED.
- Please respond no later than 12:00 p.m. Eastern Time on January 21, 2022.
Email all questions to the CO.
