7.6 VULNERABILITY SCANNING SERVICE (VSS) (L ; C ) Satisfying the Service Requirements (L (c))

Transcription

1 7.6 VULNERABILITY SCANNING SERVICE (VSS) (L ; C ) The offeror shall describe each of the optional Security Services offered. Table L shows the Security Services that shall be optional to offer. Tables J (b) Technical Stipulated Requirements for Optional IP-Based Services and J (b) Technical Narrative Requirements for Optional IP-Based Services identify the stipulated and narrative requirements, respectively, that shall apply exclusively to optional services. The offeror shall describe all optional Transport/IP/Optical Services offered to include: Satisfying the Service Requirements (L (c)) A technical description of how the service requirements (e.g., capabilities, features, interfaces) are satisfied for all proposed optional services. Overview Figure Sprint Vulnerability Scanning Service X XXXXXXXXXXXXXXXXXXXXXXXXXXXX The Sprint Vulnerability Scanning Service (VSS) allows agencies to conduct effective and proactive assessments of critical networking environments, and correct vulnerabilities before someone exploits them. This Page 956 March 5, 2007

2 offering helps to guard Agency systems and network infrastructures against emerging threats. X XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXX Figure Vulnerability Scanning Network Diagram XXXXXXXXXXXXXXXXXXX Page 957 March 5, 2007

3 Facilities XXXXXXXXXXXXXXX Agency Site XXXXXXXX XXXX X X X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXX Page 958 March 5, 2007

4 XX X XXXXXXXXXXXXXXXXXX Sprint updates the scanner databases regularly with the latest threat information. The scanner manufacturer tests these updates and distributes them directly thus ensuring the integrity and safety of scan operations. VSS Secure Operations Center (VSOC) XXX X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X X XXXX XXXXXXX XXXXXXXXXXX XXXXX XXX XXXX XXXXXXXXXXXXXXX Page 959 March 5, 2007

5 Remote Management Site X XXX XXX XXXXXXXXXXXXXXXXXXXXXXXXXX VSS APPROACH XXXXXXXXX. Stage Table Vulnerability Scanning Stages Description XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXX XXXXXXXX XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXXXXXXX XXXXXXXXX XXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXX Page 960 March 5, 2007

6 XXX XXXXXXXXXXXXXXXXXX XX XXXX XXXX XXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX In accordance with requirements specified in Networx RFP section C.3.3.2, Security Management, Sprint will assist the Government to comply with applicable Federal Information Security Management Act (FISMA) requirements. The Sprint information security program relies on industry and Government guidance and standards that promote the management, technical and operational security controls it implements to protect Networx. Services and OSS are defined, architected, implemented, and maintained in a manner consistent with National Institute of Standards and Technology (NIST) guidance. Consistent with FIPS 199, Sprint will perform Business Impact Assessments of Networx information systems to operate a costeffective security program that protects the confidentiality, integrity, and Page 961 March 5, 2007

7 availability of the Networx program. Sprint management, technical and operational security controls will meet the criteria for controls outlined in NIST Special Publication , Annex 1 as supplemented by all existing information security controls implemented by Sprint for the FTS2001 Program. Sprint will provide Agencies with the following: XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX X XXXXXXXXXXXXXXXXXXXXX XXX X XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXX Page 962 March 5, 2007

8 X XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXX X XXXXXXXXXXXXXXXX 9. To provide the Agency with non-destructive and non-intrusive vulnerability scans that will neither crash the systems under analysis, nor disrupt Agency operations; Sprint follows advanced safety measures and protocols. XXXXXXXXXXXXXXXXXXXXXXXXXXXXX X X X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXX X XXXXXX Page 963 March 5, 2007

9 XXXXXXXXXXXXXXXXXXX Features XXXXXXXXXXXXXXXXXX XXX X X XXXXXXXXXXXXX Interfaces X XXXXXXXXXXXXX XXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX Quality of Services (L (d)) A description of the quality of the services with respect to the performance metrics specified in Section C.2 Technical Requirements for each proposed optional service, and other performance metrics used by the offeror. Sprint will meet the 4 and 8 hour AQLs for TTR requirement for VSS. Sprint tracks AQLs for Availability and Time to Restore compliance in the XXXXXXXXXXXXXX The values are based on the formula located in Sections C (VSS Performance Metrics) for Availability, and Page 964 March 5, 2007

10 Section C (Step 4 Fault Management) for TTR. The values generated by these formulae are used to determine compliance with the requirement. Sprint will comply with all VSS performance metrics Exceeding the Specified Service Requirements (L (e)) If the offeror proposes to exceed the specified service requirements (e.g., capabilities, features, interfaces), a description of the attributes and value of the proposed service enhancements. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Experience Delivering Services (L (f)) A description of the offeror s experience (including major subcontractors) with delivering each proposed optional service. Sprint has provided security planning assistance to Fortune 500 companies, integrated security considerations into the design of new systems, as well as delivered security recommendations for existing systems. These proactive measures were instrumental in assuring that systems were protected throughout their entire life cycle. This protection covered emerging threats, as wells as degradation of overall security levels resulting from normal system usage. Sprint s security professionals have experience and skills gained through handling systems of progressively increasing complexity. They understand server security because they have worked as Network Administrators. They understand the need for network security in environments with diverse operating systems because they have worked as Network Engineers. They understand multiple aspects of security issues because they have managed firewalls, worked incident response issues, been involved in intrusion detection and forensics activities, and conducted facility-wide Vulnerability Scanning and Assessments. Here are a few examples where Sprint services were instrumental in preventing client system exploits. Page 965 March 5, 2007

11 XXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXX Sprint brings this wealth of knowledge along with National Security Agency (NSA) certifications in vulnerability assessment, in delivering the VSS so Agencies can feel secure in knowing that our analysis and recommendations will hold the highest benefit. The Sprint managed security-based services provide a high level of security for our clients critical information infrastructures. Monitoring and scheduling scanning services identified vulnerabilities and resulted in recommendations to mitigate risks that could affect production systems and personal information. This allowed our clients to operate more effectively and maintain a higher-than-normal security posture. Sprint views VSS as an extension of the Agency s environment. Prior to implementation Sprint will work with the customer to obtain a better understanding of each Agency s security policies. This understanding will enable Sprint to implement a solution that complies with that Agency s security policies and will ensure accurate results Testing and Verifying Services (L (g)) A description of the offeror s approach to perform verification of individual services delivered under the contract, in particular the testing procedures to verify acceptable performance and Key Performance Indicator (KPI)/Acceptable Quality Level (AQL) compliance. Page 966 March 5, 2007

12 Time to Restore XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Figure Trouble Resolution Process XXXX XXXXXXXXXXXXXXXXXXXXX X XXX X, XXXXXXXXXXXXXXXXXXXXXXXXXXXX Page 967 March 5, 2007

13 Availability Sprint has adopted a consistent methodology for measuring availability of Networx products and services. Consistent with the methodology, availability will be computed according to the formula specified in RFP Table C , with outage time based on reported trouble ticket data Impact of Delivery of Optional Services on the Network Architecture (L (h)) A description of how the delivery of any optional services would impact the network architecture (e.g., security, quality and reliability, performance). Based on the current requirements, Sprint does not foresee any impact of delivery of the optional services on the Network Architecture as it relates to security, quality, reliability and performance Satisfying NS/EP Basic Functional Requirements (L (i)) A description of the offeror s approach to satisfy each NS/EP basic functional Requirement listed in Section C There are no NS/EP requirements for Vulnerability Scanning Service Assuring Service to the National Capital Region (L (j)) A description of how the network architecture will satisfy the requirements in Section C for assured service in the National Capital Region, if applicable. This requirement is not applicable for the Vulnerability Scanning Service Meeting Section 508 Provisions (L (k)) A description of the offeror s approach for providing the capabilities needed to meet Section 508 provisions identified in Section C.6.4 for the proposed optional services. Sprint delivers VSS products as Section 508-compliant PDF files through the XXXXXXXXXXXX XXXXXXXXXXX will be 508 compliant. Page 968 March 5, 2007

14 Incorporating Future Technological Enhancements and Improvements (L (l)) A description of the approach for incorporating into the proposed optional services, technological enhancements and improvements that the offeror believes are likely to become commercially available in the timeframe covered by this acquisition, including a discussion of potential problems and solutions. As technological enhancements and improvements for Sprint s VSS become commercially available, Sprint will thoroughly tests them for stability and effectiveness prior to offering them to our clients. XXXXXXXXXXXXXXX XX X XXX XX XXXXXXXXXXXXXXXXXXXXXXX Summary The Sprint VSS solution provides a mechanism for Agencies to validate the effectiveness of their other security infrastructure. Sprint will consult with Agency IT, engineering, and operational staff to design a scanning solution that meets the Agency s requirements. Page 969 March 5, 2007