NIAAA Information Technology Security Support Services

Description: This notice is issued by the NICHD Office of Acquisitions on behalf of the National Institute on Alcohol Abuse and Alcoholism (NIAAA). This is a Small Business Sources Sought notice. This is NOT a solicitation for proposals, proposal abstracts, or quotations. There is no solicitation available at this time. The purpose of this notice is to obtain information regarding: (1) the availability and capability of all qualified small business sources; (2) whether they are small businesses; HUBZone small businesses; service-disabled, veteran- owned small businesses; 8(a) small businesses; veteran-owned small businesses; woman-owned small businesses; or small disadvantaged businesses; and (3) their size classification according to the North American Industry Classification System, (NAICS) code for the proposed acquisition. Your responses to the information requested will assist the Government in determining the appropriate acquisition method, including whether a set- aside is possible. An organization that is not considered a small business under the applicable NAICS code should not submit a response to this notice. The NAICS Code applicable to this announcement is 54151S Information Technology Professional Services. The small business size standard for this NAICS is $34 Million. Per FAR 19.001, a small business concern means any business entity organized for profit (even if its ownership is in the hands of a nonprofit entity) with a place of business in the United States or its outlying areas and that makes a significant contribution to the U.S. economy through payment of taxes and/or use of American products, material and/or labor, etc. Please note that to qualify as an eligible small business concern for purposes of a small business set- aside (where large businesses, universities and non-profits would be excluded from competing for part of or the entire requirement), at least 50% of the direct labor cost must be "in-house". Specifically, FAR 52.219-14, "Limitations on Subcontracting" states that "at least 50 percent of the cost of contract performance shall be expended for employees of the concern". To be eligible for a small business set-aside, the small business will need to demonstrate the ability to perform the project requirements "in house" or coordinate/subcontract with other small business sources [only] to meet the "at least 50% of personnel costs performed by small business" requirement. Background: The National Institute on Alcohol Abuse and Alcoholism (NIAAA) is seeking capability statements from small business organizations (NAICS 54151S; small business size standard is $34 Million) with experience in IT Security documentation and security plan documentation support, FISMA assessments, technical CDM support and testing, system administration for various systems and tools that support configuration, patching, configuration baseline management, and vulnerability management. NIAAA requires support for all computing hosts within NIAAA's system boundaries, and the contractor's experience shall demonstrate experience with understanding how an NIH Institute's hybrid control infrastructure and fits within the NIH security management program and inheritance structure from various central NIH control providers, as well as from cloud providers. The contractor shall have experience that enables them to quickly support NIAAA's localized choices for specific policies, standards, methods, processes or tools to address IT security, and for varying compensating controls in the context of how they address centralized NIH policies and standards. The planned acquisition is a follow-on requirement to active contract GS-35F-386DA/75NN94019F00174, awarded to Booz Allen & Hamilton Inc. with a period of performance 03/25/2019 through 03/24/2024. One contract is envisioned which will provide a wide spectrum of Information Technology Security Support Services to the National Institute on Alcohol Abuse and Alcoholism, and FISMA A&A Support Services to the National Center for Complementary and Integrative Health (NCCIH) . The National Institutes of Health (NIH) consists of 27 Institutes and Centers (ICs) in a hybrid centralized/distributed management environment. The National Institute on Alcohol Abuse and Alcoholism (NIAAA) is one of the NIH centers. NIAAA provides leadership in the national effort to reduce alcohol-related problems by: - Conducting and supporting research in a wide range of scientific areas including genetics, neuroscience, epidemiology, health risks and benefits of alcohol consumption, prevention, and treatment - Coordinating and collaborating with other research institutes and Federal Programs on alcohol-related issues - Collaborating with international, national, state, and local institutions, organizations, agencies, and programs engaged in alcohol-related work - Translating and disseminating research findings to health care providers, researchers, policymakers, and the public The NIAAA IT environment is contained by NIAAA specific firewalled boundaries within the NIH Network (NIHnet) wide area network backbone. NIAAA's local area networks support two buildings at Rockledge Drive, North Bethesda, and Fishers Lane, Rockville, Maryland and within several buildings on the NIH campus. The typical NIAAA user is either a medical scientist or an administrative support person. At NIH, requirements and ability to implement solutions vary greatly from one NIH IC to the next, with each IC having its own Administrator, Executive Officer, Scientific Director, Chief Information Officer (CIO), and Information Systems Security Officer(s) (ISSO). As a result, NIAAA's system owners, developers, systems administrators, and IT management staff are required to make localized choices for specific polices, standards, methods, processes or tools to address IT Security, and for varying compensating controls to address centralized NIH policies and standards. The National Center for Complementary and Integrative Health (NCCIH) is the Federal Government's lead agency for scientific research on the diverse medical and health care systems, practices, and products that are not generally considered part of conventional medicine. The National Center for Complementary and Integrative Health (NCCIH) at the National Institutes of Health (NIH) funds and conducts research to help answer important scientific and public health questions about complementary health approaches. NCCIH works to determine what is promising, what helps and why, what doesn't work, and what is safe. NCCIH's system owners, developers, systems administrators, and IT management staff have also made localized choices for specific polices, standards, methods, processes or tools to address IT Security, and for varying compensating controls to address centralized NIH policies and standards. The contractor will develop a clear understanding of NIAAA's and NCCIH's hybrid control infrastructure within the NIH security management program, in order to assist with the documentation of NIAAA's localized choices for specific polices, standards, methods, processes or tools to address IT Security, and for varying compensating controls to address centralized NIH policies and standards. The contractor shall meet with the NIAAA ISSO/COR on a bi-weekly or monthly basis to discuss the status of all activities performed, including problems and delays. A monthly progress report shall be prepared outlining the activities planned and performed for the month as directed by the NIAAA ISSO; activities planned for the next month, and associated costs. Purpose and Objectives: The purpose of this order is to perform Information Technology (IT) security support services in different roles. The contractor shall provide IT security technical assistance to the NIAAA ISSO, and assist in keeping up with complex technical support demands of the NIH OCIO, to ensure a properly working Information Security Program within the Institute. The contractor shall develop a very detailed understanding of NIAAA's systems, and hybrid control infrastructure, as it fits within the NIH security management program. This in-depth understanding is necessary to perform configuration management, vulnerability management, and operational support of both localized and NIH wide choices for specific IT Security related tools, configuration standards, methods, and processes. These items may change over time, as cybersecurity is an ever evolving field. Project requirements Include: 1. Provide all aspects of FISMA Security Plan and Assessment and Authorization Documentation Support 2. Provide Information Assurance Technical Support 3. Information Assurance Technical Engineering Support 4. Provide contract and ongoing projects management to the overall contract 5. Provide security program management support Anticipated contract type and period of performance: A Fixed-Price (FP)/Requirements type contract is being contemplated for these services with a period of performance consisting of a 12-month base contract period plus four successive 12-month term options, beginning March 25, 2024. Information Requested: The Capability Statements must specifically demonstrate qualification of contractor's ability to: 1. Utilize a deep understanding of NIH and NIAAA FISMA related policies and procedures, to create and/or verify all FISMA ATO related data and artifacts, re-enter and update to 800-53, Rev 5, and maintain (keep up to date) within the NIH CSAM application. The contractor shall bring expert knowledge of the CSAM system, understand NIAAA's systems as they fit into NIH's inheritance structure for the migrations, and to keep track of and follow all new guidance as it is provided by the NIH Information Security Awareness Office. Proactively manage the ATO annual assessment schedule to ensure NIAAA's systems are assessed on time, and to bring any unexpected delays to the attention of the NIAAA ISSO. 2. Utilize a deep understanding of NIAAA's systems and NIH policy, procedures and standards, to assist with responding to HHS and NIH Data Calls for IT security information, and to assist the NIAAA ISSO with investigating, remediating and documenting information security and privacy incidents. 3. Provide vulnerability and configuration compliance tracking and remediation support, using NIH specific implementations and procedures for Tenable Security Center tools, Invicti application scanning, NIH HTTPS Dashboard, BigFix for Windows workstations and servers, JAMF for MacOS based workstations, and Ansible for Linux. 4. Be responsible for periodically producing an up-to-date inventory of all of NIAAA's hosts, in order to ensure security management tools are being applied uniformly. Be familiar enough with the environment to continually harmonize asset inventory lists between security tools, utilizing scripts, and with a formal process at least quarterly. 5. Work with IT staff to implement and maintain NIH's standard secure configuration management baselines across Windows, Mac and Linux systems, using third party configuration management tools (BigFix, JAMF, Ansible) across NIAAA's endpoints. 6. Perform BigFix patching of Windows OS and applications, application packaging, inventory, self-service, scripts for specific tasks such as removing applications like JAVA and keeping JAVA up to date only for hosts with applications that require it. Maintain focus on testing and documenting through NIAAA's change management process. Maintain the BigFix main server and agent relay server. 7. Perform Apple MacOS installation, upgrade, baseline configuration and patch management using JAMF Pro -- Mac systems enrollment, initial builds, configuration management, encryption, application deployment and patching. Contractor must understand NIH process for maintaining up to date NIH configuration baselines of the MacOS. Maintain the JAMF server and agent relay server. 8. Be responsible for maintaining NIAAA's configuration in the NIH managed Tenable Security Center tool, monitoring daily for new vulnerabilities, and producing reports and Tenable dashboards proactively, to support evolving response needs to new vulnerabilities. Actively monitor and provide reports to the NIAAA ISSO about urgent needs to meet critical vulnerability remediation timelines. Remediate vulnerabilities on any vulnerable device identified by NIH OCIO, and will assist with gathering compensating control information, and with gathering information and writing waivers when remediation is not possible. Suggest improvements to procedures to the NIAAA ISSO, to meet changing NIH Infosec Program requirements. 9. Actively manage NIAAA's Cylance implementation for endpoint security. 10. Proactively assist NIAAA IT Branch support staff with secure configuration, documenting remediation, and troubleshooting of issues stemming from security configuration and remediations. Monitor and understand all security patches and updates released for production operating systems and applications in use at NIAAA, and make prioritization recommendations to the ISSO for patching, and for OS and application upgrade strategies. 11. Manage and maintain SSL certificates across most of NIAAA's systems, ensuring that no unexpected certificate expirations occur, and the latest encryption standards are being met. 12. Provide overall security hardening support for various operating systems and applications. Build secure infrastructure (servers/SSL/SSH certificates/firewall rules) for security related application servers. Research and recommend configuration management or monitoring methods or tools upon request. Work with scientific researchers to isolate end of life systems into restricted segments. 13. Be the primary administrator of Group Policy for the Institute's Organization Unit. Understand the NIH enterprise GPO inheritance structure and NIAAA's GPOs within it. Stay current on Windows operating system changes that may require revisions to Group Policy. Administer and maintain NIAAA's BitLocker implementation, as well as other GPO implemented security measures, such as LAPS. 14. Administer Checkpoint GAIA server, with Smart EndPoint Console, managing Full Disk Encryption on all of NIAAA's Windows endpoints. Support IT staff when questions or issues arise. Advise ITB staff on compatibility of Checkpoint components with Windows feature releases. 15. Provide 2nd tier support to security and operations staff to investigate complex technical resolutions to vulnerability and configuration management problems. Serve as SME (Subject Matter Expert) for configuration and troubleshooting of encryption protocols. Generate/maintain certificates applied to NIAAA's websites and internal product consoles. Research, recommend and provide occasional implementation support to secure new applications, and assist with evaluating and implementing new security tools. 16. Administer NIAAA's password management server to store and manage numerous service accounts, all SSL certificates, and other sensitive IT account information, and manage admin password rotation on Windows servers. Perform regular password management server maintenance and upgrades. 17. Configure and maintain Splunk implementation to send required logs to NIH/HHS CDM Splunk server and provide relevant monitoring and alerting to NIAAA's IT team. Search Splunk logs with in-depth understanding of NIH subnet assignments, in order to assist sysadmins in troubleshooting issues, and determine if unexpected ports are being blocked for new server/application implementations when vendor documentation is inadequate. 18. Perform firewall rule administration for Cisco ASA firewall, working closely with the NIAAA ISSO (firewall hardware and OS maintenance is performed by an NIH CIT team). 19. Administer DHCP reservations and DNS records in InfoBlox. (Infoblox servers are maintained by NIH CIT team). 20. Coordinate with Contegix cloud support to administer updates and upgrades for the JIRA PaaS. Understand NIAAA's customer specific responsibilities and JIRA sysadmin features, in order to reapply JIRA configuration items after upgrades. Past Performance Information: Documentation should include, but not be limited to, a minimum of two contracts performed for NIH, to include: - duration period of contracts (e.g., base year plus option years) - references which shall include for each contract: names, titles, contract number, price or cost, description of work performed, telephone numbers of Project and Contracting Officers, and any other information serving to document the organization's capability to perform the 20 project requirements. Information submission instructions: Responses shall be submitted in electronic format only and include the organization's name, address, point of contact, size of business pursuant according to the North American Industrial Classification Code (NAICS) and must address all the technical information requested. Generic marketing brochures or generally worded capability statements that do not address the specific project requirements are unlikely to receive a favorable evaluation. The page limit is 15 pages using a font size 10 or larger. Responses will assist the Government in selecting the appropriate acquisition mechanism. Additionally, the response must provide answers to the following questions: 1. Is your organization a small business under NAICS code 54151S? 2. Does your firm qualify as a small disadvantaged business? 3. If disadvantaged, is your firm certified under section 8(a) of the Small Business Act? 4. Are you a certified HUB Zone firm? 5. Are you a woman-owned or operated business? 6. Are you a certified Service-Disabled Veteran Owned or Veteran Owned business? This notice is for information and planning purposes only and does not commit the Government to any contractual agreement. This is not a Request for Quotes/Proposals. The Government DOES NOT intend to award a contract based on responses under this announcement. Interested parties shall not be reimbursed for costs associated with preparation of their responses. Any proprietary information should be so marked. Interested organizations presenting a Capability Statement in response to this Small Business Sources Sought Synopsis must identify their size status. All capability statements sent in response to this Small Business Sources Sought notice must be submitted electronically (via email) to the Point of Contact below in MS Word or Adobe Portable Document Format (PDF). The subject line must specify Small Business Sources Sought 75N94024Q00014. Facsimile responses will not be accepted. Electronically submitted capability statements are due no later than 12:00 PM (Eastern Standard Time) on December 01, 2023. CAPABILITY STATEMENTS RECEIVED AFTER THIS DATE AND TIME WILL NOT BE CONSIDERED. Please send responses to the Small Business Sources Sought announcement via e-mail to: Edwin Osorio, Contract Specialist NICHD Office of Acquisition, NIAAA Team E-MAIL: Edwin.Osorio@nih.gov Contracting Office address: NICHD Office of Acquisitions NIAAA Team 6700B Rockledge Drive Disclaimer and Important Notes: This notice does not obligate the Government to award a contract or otherwise pay for the information provided in response. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. Any organization responding to this notice should ensure that its response is complete and sufficiently detailed to allow the Government to determine the organization's qualifications to perform the work. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. After a review of the responses received, a pre-solicitation synopsis and solicitation may be published in Federal Business Opportunities. However, responses to this notice will not be considered adequate responses to a solicitation. Confidentiality: No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s).