carahsoft Florida Department of Management Services CARAHSOFT S RESPONSE TO THE REQUEST FOR INFORMATION

Transcription

1 carahsoft CARAHSOFT S RESPONSE TO THE Florida Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services Thursday, September 3, 2015 CARAHSOFT TECHNOLOGY CORP MICHAEL FARADAY DRIVE, SUITE 100 RESTON, VA CARAH

2 September 3, 2015 Florida Department of Management Services 4050 Esplanade Way, Suite 360 Tallahassee, FL Re: Carahsoft s Response to the Florida Department of Management Services Request for Information for Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services Dear Mr. Atkinson, Carahsoft Technology Corporation appreciates the opportunity to respond to the Florida Department of Management Services (the Department) s Request for Information for Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services. Our team has fully considered the Department s requirements outlined in this Request for Information, and has carefully put together a response that will best meet your needs. Providing best-value cyber-security solutions has been a core focus throughout Carahsoft s 11-year existence. Early partnerships with industry stalwarts Hewlett Packard, Symantec, and VMware provided Carahsoft with strong footholds in the cyber-security sphere. In recent years, partnerships with FireEye, Gigamon, SafeNet, Splunk, Tripwire, Vormetric, and others have helped Carahsoft develop a cyber-security portfolio that is unrivaled by our competitors. Carahsoft is submitting as both an IT Schedule 70 GSA Contract holder (GS-35F-0119Y) and a Florida State Contract holder ( ). As a top ranked GSA Schedule holder, Carahsoft has delivered best value solutions to our government clients for over ten years including the Department. In fact, Carahsoft has delivered cyber-security solutions to Broward County, Florida Department of Transportation, and Lake County School District. Please feel free to contact me directly at /Daria.Hoobchaak@carahsoft.com or Robert R. Moore at /Robert.Moore@carahsoft.com with any questions or communications that will assist the Department in the evaluation of our response. Thank you for your time and consideration. Sincerely, Daria Hoobchaak Contracts Specialist

3 TABLE OF CONTENTS Executive Summary... 1 Solution Overview... 1 Prime Contractor: Carahsoft Technology Corp Response Format... 2 In Summary... 7 i

4 EXECUTIVE SUMMARY Solution Overview Carahsoft Technology Corporation understands that the Department is seeking to identify vendors that are able to provide cyber-security assessment and remediation services, as well as identity protection, monitoring, and protection services. As the Prime Contractor, Carahsoft has a vast portfolio of cybersecurity offerings to meet Department s requirements. Prime Contractor: Carahsoft Technology Corp. Carahsoft Technology Corp. is a government only IT solutions provider delivering best-of-breed hardware, software, and support solutions to federal, state and local government agencies since Carahsoft has built a reputation as a customer-centric real-time organization with unparalleled experience and depth in government sales, marketing, and contract program management. This experience has enabled Carahsoft to achieve the top spot in leading software license GSA resellers. VENDOR RELATIONSHIPS Carahsoft has a unique business model focusing on providing superior sales and marketing execution, a track record of success, high integrity, and a focus on strategic vendor relationships. Carahsoft s contract vehicles carry over 200 vendors. Carahsoft has the ability to: Identify security requirements gaps and fill those gaps with Provide a wide variety of cyber-security focused services Rapidly add new cyber-security services as they are required by our customers. CONTRACT VEHICLES Over the past ten years Carahsoft has acquired and maintained a wide variety of purchasing contract vehicles for agencies at the state, local, and federal levels. Associated with all contracts are dedicated and experienced contract management resources. A list of available contracts can be found at GROWTH & STABILITY Carahsoft has continued to show impressive growth year after year, turning annual revenue from $3.4 million in our first year in 2004 to $1.065 billion in 2011, $1.465 billion in 2012, $1.8 billion in 2013, and $2.45 billion in In September of 2014, 7,501 orders were processed worth over $626 million. We are a stable, conservative, and profitable company and have received numerous accolades including the 2013 GovCon Government Contractor of the Year Award in the greater than $300M revenue category. Carahsoft was also recognized in the following areas: Largest GSA Schedule 70 Contract holder for software 7 th of the Washington Business Journal s 100 Largest Private Companies List for Federal 100 Winner, Craig P. Abod, President and CEO 2013 Federal 100 Winner, John Lee, Vice President of Cloud Services 1

5 RESPONSE FORMAT Potential vendors should respond to the following sections at a minimum: a) Introduction; As an industry-leading cyber-security technologies provider for state and local governments, Carahsoft understands the challenges that the Department and its partner agencies face daily. Through our extensive services capabilities and vast portfolio of best-of-breed cyber-security product lines, Carahsoft is confident that we can help plan and execute against any and all security concerns. Carahsoft chooses its vendor partners very selectively to identify vendors with solutions that can coexist and work together in a cooperative manner. By utilizing the best individual products for the specific issues at hand, Carahsoft can develop an entire security framework for the Department that covers all types of threats, including both external and internal attacks. Carahsoft will provide a wide range of security services not limited to: Virtualization Security Server Hardening Endpoint Protection MPKI and 2 factor authentication Data Encryption at rest and in transit Data Center Security Zero Day Attack and Advanced Persistent Threat Blocking and Remediation Penetration Testing Proactive Threat Detection Continuous Monitoring Mobile Device and BYOD Security Web Security Mail Security Access Management Antivirus and Anti-malware Carahsoft can provide services around the endpoint (antivirus, antimalware, device control), the network (zero day attack prevention, advanced persistent threat detection, penetration testing), mobile (mobile device management, mobile security), data security (file encryption, mail security, web security), and identity management (2 factor authentication, digital certificates, Managed PKI) as well as many other services around cyber-security. Carahsoft will work with the Department to pinpoint products that will best fit an agency s specific needs, while also providing pre- and post-implementation support. 2

6 b) Background; Carahsoft s vast experience delivering cyber-security solutions on state contracts to local government agencies make us uniquely qualified to provide services to the Department. Carahsoft added its first cyber-security vendor in June 2005, and currently offers more than 30 software and hardware vendors that sell cyber-security products as a major portion of their portfolios. A vast majority of those vendors are available through Carahsoft s GSA Schedule. Approximately half of these vendors have initiated theirs partnerships with Carahsoft since 2013, which has spurred robust growth in cybersecurity sales. Carahsoft has grown from a modest $3.4 million in revenue in 2004 to $2.45 billion in Carahsoft has sold in excess of $1.6 billion in cyber-security solutions, with more than $1 billion of those sales having been processed since Our totals for these years include $300 million in 2013, $450 million in 2014, and $333 million in 2015 YTD, with an expected total exceeding $525 million. Carahsoft has more than 270,000 state, local, and education customers. Carahsoft has provided more than $85 million in software and hardware solutions to over 10,000 customers operating in the State of Florida. Carahsoft currently holds 45 unique state, local, and education-based contract vehicles. 19 of these contracts can be used in the State of Florida. This includes Carahsoft s GSA Schedule No. GS-35F-0119Y and Florida State Contract No Carahsoft has sold in excess of $16 million through the GSA Contract to Florida agencies, and nearly $9 million via the Florida COTS Contract since its award in October c) Contact Information (company name, phone, ); and Carahsoft Point of Contact Name Daria Hoobchaak Phone Daria.Hoobchaak@carahsoft.com Carahsoft Point of Contact Name Jack Dixon Phone Jack.Dixon@carahsoft.com Carahsoft Point of Contact Name Robert R. Moore Phone Robert.Moore@carahsoft.com 3

7 d) Response to section IV, including a service catalog, if available. 1) Pre-Incident Services: a) Incident Response Agreements Terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident. Carahsoft offers a number of vendors that assist with Incident Response. Upon purchase of any software, all Terms and Conditions are agreed upon at the time of download. One example of an incident response software Carahsoft carries is Cybersponse, a cyber-security incident response platform that provides a single console view of your entire network, capable of detection, mitigation and closure of cyber incidents. The product is able to streamline the duties of the security operations team in reference to cyber incident response throughout the enterprise through stream-less coordination of tasks and communications through one console, automated workflow of task assignments, and access to instant, immediate status reporting. With real-time information, security teams are able to make intelligent evaluations of live security incidents. If a subscription model is preferred, Carahsoft can provide proactive incident monitoring through Symantec s Managed Security Services, which also provide pre-negotiated engagement terms. b) Assessments Evaluate a State Agency s current state of information security and cyber-security incident response capability. Carahsoft offers Florida Department of Management Services the ability to run vulnerability assessments based on the State s current IT Security framework. By running the scan on the State s most sensitive servers, web-based application, operating systems, and databases as well as other network devices, Carahsoft, through the use of Control Compliance Suite, enables IT to: Create a single view of security threats across the agency s infrastructure Differentiate between real and potential vulnerabilities while streamlining remediation Reduce cost and complexity by automating vulnerability management from discovery to prioritization all the way to issue resolution If a services engagement is requested, Carahsoft also offers Security Assessment onsite services through a number of vendors. Additionally, Carahsoft offers ongoing Managed Security Services that produce on demand security assessments while assisting in remediation efforts that enable end users to become more proactive about incident response. c) Preparation Provide guidance on requirements and best practices. Carahsoft provides Control Compliance Suite to enable agencies to be prepared for attacks with best practices and risk visibility so customers can effectively align priorities across their security framework while also achieving security compliance. A number of prebuilt templates for government mandated security policies are included and customer policies can be created as needed for agency specific needs. 4

8 Included in best practices outlines will be suggested vendors for Identity Management, Password Management, Data Loss Prevention, Endpoint Security, Web Browser Protection, Virtualization Security, Cyber Incident Response, Advanced Persistent Threat Protection, Database Security, Proactive Threat Detection, Mobile Management and Security, and Traffic Visibility. Carahsoft also provides Penetration Testing services through our vendors, which allow users to identify gaps in the security infrastructure. d) Developing Cyber-Security Incident Response Plans Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident. Carahsoft will assist the Department with the development of a written Incident Response Plan via Symantec s Managed Security Services offering. We will help facilitate response plan assessments, incident response training, tabletop exercises, and communicate every step of the plan to the agency. e) Training Provide training for State Agency staff from basic user awareness to technical education All Carahsoft offered solutions provide training for their specific software lines. Carahsoft will assist the Department with student registration through either regional classroom training or online virtual training. 2) Post-Incident Services: a) Breach Services Toll-free Hotline Provide a scalable, resilient call center for incident response information to State Agencies. Carahsoft s Symantec Managed Security Service provides 24/7/365 Incident Response services with a call center to alert customers of security breaches with outbound calls or to assist with inbound calls from the agency. Incident Response is set up precisely to address both proactive and reactive needs. b) Investigation/Clean-up Conduct rapid evaluation of incidents, lead investigations and provide remediation services to restore State Agency operations to pre-incident levels. Carahsoft s Symantec Managed Security Services Incident Response helps customers determine the scope, vector, and impact of the attack on the agency based on unique legal, regulatory, and industry requirements. Carahsoft tailors the response and appropriate clean up strategy to the customer with either remote or on-site investigations and services that assist with best practices to contain and remediate the issue. Customers can choose between multiple Emergency Response Service levels as well as Retainer Services to assist with clean up. c) Incident response Provide guidance or technical staff to assist State Agencies in response to an incident. Carahsoft s Incident Response vendors and services enable State Agencies to have a single console view of their entire network, decrease time to detection and mitigation, as well as enable the agency to develop best practices for future incident responses. Using vendors such as Cybersponse, Tripwire, and Symantec, 5

9 Carahsoft will engage with the agency in real time with on demand reporting and support to provide a remediation plan that suits the agency. Carahsoft also offers on-site security personnel to assist with a security response as a separate option. d) Mitigation Plans Assist State Agency staff in development of mitigation plans based on investigation and incident response. Assist State Agency staff with incident mitigation activities. Through vendors like Digital Reasoning and Trustwave, Carahsoft will help the Department develop a mitigation plan. Using these technology platforms, Carahsoft will help develop a platform that can identify database, access control, patch, and application setting issues that can lead to increased security risk in the future. The software will enable the detection of rogue application installations, develop proactive security policies, perform safe penetration tests, all while auditing for policy violations through an agent-less scanner. By utilizing machine learning, Carahsoft s vendors can minimize human error while identifying risks and threats. Pattern detection logic to proactively detect possible risk increasing activities and notifying the end user as well as IT will enable the agency to stay on top of IT security while staying confident that their incident mitigation plan is working as intended. e) Identity Monitoring, Protection, and Restoration Provide identity monitoring, protection, and restoration services to any individuals potentially affected by a cyber-security incident. Carahsoft provides multiple solutions that protect against malicious insiders while simultaneously providing privileged identity and access management to trusted insiders. Leveraging best-of-breed technology from RSA, Symantec, and Xceedium, Carahsoft can assist in implementing a zero trust security model with rolebased access control and monitored user sessions. All solutions can be controlled and monitored from a central console for easy administration. Whether the agency prefers a hard token, soft token, or cloud model, Carahsoft can assist. Additionally, protecting against malicious insiders is just as important. Using technologies such as Symantec s Data Loss Prevention and Cyber-Ark, Carahsoft can help find malicious attacks originating from inside the agency before the attack is actually set in motion. By monitoring user activity, attempts to send information outside the walls of the agency, securing privileged credentials, and encrypting data in transit using Vormetric, SafeNet, and Symantec, Carahsoft s vendor portfolio will enable the Department to choose the best personalized solution for each agency. 6

10 IN SUMMARY Carahsoft Technology Corporation appreciates the opportunity to offer this solution for the Department s initiative. The Carahsoft Team has proposed a superior and cost-effective solution that fully complies with the Department s requirements. We understand the importance of your project goals, and we are confident you will benefit from this solution and our expertise. Carahsoft looks forward to the opportunity to speak with you regarding the details of this proposal, as well as the opportunity to work with Florida Department of Management Services on this project. 7