7.1 MANAGED FIREWALL SERVICES (MFS) (L.34.1.6; C.2.10.1) The offeror shall describe the means by which the requirements for Security Services specified in Section C.2 Technical Requirements will be satisfied. The mandatory Security Services are listed Table L.34.1-7. 7.1.1 Technical Approach (L.34.1.6.1) 7.1.1.1 Approach to Service Delivery (L.34.1.6.1 (a)) Analyze the service requirements specified in this solicitation and describe the approaches to service delivery for each service. Figure 7.1.1-1. Sprint Managed Firewall Service X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Page 857 March 5, 2007
Our technical and quality monitoring approach for Managed Firewall Service (Figure 7.1.1-1) ensures reliable service delivery. Sprint will work with the Agency to provide a Firewall security design which is a technical blueprint of the required network to meet an Agency s established security policy. This design is developed to minimize risks associated with threats and vulnerabilities. To this end, Sprint Engineers provide a consultative approach and work with the Government to determine a firewall solution customized to an Agency s connectivity and security requirements. The resulting solution will mitigate risks, allow access to essential applications, and will help reduce network disruptions caused by hostile activity. The Sprint MFS solution is fully compliant with Sprint s comprehensive Managed Firewall Service the Networx RFP requirements. provides safeguards that A Security Engineering Design Document protect Agency Internal networks from (SEDD) is produced for each device and the compromise and tampering. network as a whole, and is a requirement for approving a security service order. An implementation plan will then be created for every security device implementation. We will install the appropriate equipment, conduct performance testing, and ensure the Firewalls can be effectively accessed, managed, and monitored by the Agency and by Sprint. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX XXX X XXXX X XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Page 858 March 5, 2007
Service Requirements XXXXXXXXXXXX XXXXXX XXXXXXXXXXX XXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXXXX Table 7.1.1-1. Sprint Managed Firewall Capabilities Technical Capabilities XXXXXXXXX, XXXXXXXXX XXXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXX XXXXXX Benefits XXXXXXXXXXXX XXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXX XXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXX XXXXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXX XXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXX Sprint is the single point of accountability for all firewall security operations, hardware/software maintenance, and administration. XX X XXXXXXXXXXXXXXXXXXXX Page 859 March 5, 2007
Figure 7.1.1-2. Managed Firewall Service On-line Customer Tools XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX 7.1.1.2 Expected Benefits of Service Approach (L.34.1.6.1 (b)) Describe the expected benefits of the offeror s technical approach, to include how the services offered will facilitate Federal Architecture objectives (see http://www.whitehouse.gov/omb/egov/a-1-fea.html). Sprint provides overall management of an Agency s firewall infrastructure and is the Agency s single point of accountability for all firewall security operations, maintenance, and administration activities which enables an Agency to focus on key mission objectives. The Agency can rely on Sprint, rather than having to be concerned with the acquisition of management tools Page 860 March 5, 2007
and IT staffing expenses (i.e., hiring, training, and retaining) to manage the security solution effectively. Sprint helps the Government identify costeffective opportunities for Firewall security solutions by applying industry best practices for security management and using best-in-class Firewall devices. As a technological leader in innovation, Sprint provides a consultative approach for streamlining security solutions, eliminating redundancy, and maximizing Agency IT investment. By using federal guidelines coupled with open-based standards, Sprint provides defense-in-depth firewall security management to protect any IP network from compromise. In addition, we leverage real-time proactive firewall monitoring for rapid troubleshooting and service restoration. Our Managed Firewall Service provides total security solutions for networks of varying complexity in terms of size, bandwidth, and functionality. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Table 7.1.1-2. Features and Benefits of Sprint Managed Firewall Service Feature XXXXXXXXXXXXXXXXXX XXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXX Benefit XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7.1.1.3 Potential Problems and Solutions (L.34.1.6.1 (c)) Describe the problems that could be encountered in meeting individual service requirements, and propose solutions to any foreseen problems. X XXXXX Page 861 March 5, 2007
XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX 7.1.2 Satisfying Performance Requirements (L.34.1.6.2) 7.1.2.1 Performance Metrics (L.34.1.6.2 (a)) Describe the quality of the services with respect to the performance metrics specified in Section C.2 Technical Requirements for each service. Sprint provides the staff, infrastructure, and plans necessary to deliver, manage and maintain Managed Firewall Service. Sprint demonstrates the ability to provide quality services through the use of our compelling set of web-based tools. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X X XXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX When the Federal Managed Network Services Center (FMNSC) identifies a problem or event, the Government will be notified according to the methods and service levels (KPIs and AQLs) which are identified in RFP Section C.2.10.1.4.1. Communication methods include electronic mail, telephone, fax, and pager. Only the Government s designated points-of-contact (defined in the SEDD) will be notified by Sprint FMNSC personnel (see Figure 7.1.2-1). Page 862 March 5, 2007
If we are unable to reach the points-of-contact for any reason, a voice-mail followed by electronic mail will serve as default notification. Sprint strives to provide quality managed firewall services to Agencies that need to satisfy individual operational requirements. Sprint will meet the performance metrics specified above by applying best practice program management processes for all managed Agency networks. Sprint will follow the formula described in RFP Section C.2.10.1.4 for Availability and we will track and total all outages as defined in the RFP. Figure 7.1.2-1. Federal Managed Network Service Center Communications XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Page 863 March 5, 2007
X XXXXXXXX 7.1.2.2 Monitoring and Measuring Key Performance Indicators (L.34.1.6.2 (b)) Describe the approach for monitoring and measuring the Key Performance Indicators (KPIs) and Acceptable Quality Levels (AQLs) that will ensure the services delivered are meeting the performance requirements. X XXXX XX XXXXXXXXXXXXXXXXXXXXXXX XX XX X XXX X XXXXXXXXXXXXXXXXX Page 864 March 5, 2007
Figure 7.1.2-2. Managed Firewall Service Event Summary XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX. XXXXXXXXXXXXXXXXXXXXXXXXX Sprint strives to provide quality network management services to Agencies that must satisfy individual operational requirements. Sprint will meet the KPIs and AQLs by applying best practice program management processes for managed firewall services. Sprint will follow the formula described in RFP Section C.2.10.1.4 for availability and we will track and total all outages during the month as defined in the RFP. Page 865 March 5, 2007
Figure 7.1.2-3. Managed Firewall Service Solutions XXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXX Page 866 March 5, 2007
X XXXXXXX XX X XXXX XXXXXXXXXXXXXXXXXXX XXXX XXX XXXXXXXXXXXXXXXXXXXXXXXX XXX X XXXXX X X XXXX XXX XXX Page 867 March 5, 2007
XX (XXXXXXXXXXXXX Figure 7.1.2-4. MFS Trouble Resolution Process XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX. XXX XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Page 868 March 5, 2007
7.1.2.3 Testing and Verifying Services (L.34.1.6.2 (c)) Describe the offeror s approach to perform verification of individual services delivered under the contract, in particular the testing procedures to verify acceptable performance and Key Performance Indicator (KPI)/Acceptable Quality Level (AQL) compliance. An implementation plan will be created for every security device implementation as the first step in our approach to perform verification of managed firewall service. We will install the appropriate equipment, conduct performance testing, and ensure the device(s) can be effectively accessed, managed, and monitored by the Agency and by Sprint. XXXXXXXXX XXX X X X XXXXXXXXXXXXXXXXXX 7.1.2.4 Exceeding Acceptable Quality Levels (L.34.1.6.2 (d)) If the offeror proposes to exceed the Acceptable Quality Levels (AQLs) in the Key Performance Indicators (KPIs) required by the RFP, describe the performance improvements. XXX XXX XXXXXXXXXXXXXXXXXX 7.1.2.5 Additional Performance Metrics (L.34.1.6.2 (e)) Describe the benefits of, and measurement approach for any additional performance metrics proposed. As a leader in technology innovation, Sprint will continuously look for ways to improve performance measures over the life of the Networx contract. Page 869 March 5, 2007
XXXX XXXXXXXXXXXXXXXXXXXXXXXXXX 7.1.3 Satisfying Service Specifications (L.34.1.6.3) 7.1.3.1 Technical Description (L.34.1.6.3 (a)) Provide a technical description of how the service requirements (e.g., capabilities, features, interfaces) are satisfied. The Sprint Managed Firewall Service will allow the Government to completely outsource this mission-critical activity. XXXXXXXXX XX XXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX In accordance with requirements specified in the Networx RFP section C.3.3.2, Security Management, Sprint will work to support the Government to comply with applicable Federal Information Security Management Act requirements. The Sprint information security program is based on industry and Government guidance and standards and will ensure the management, technical and operational security controls implemented to protect Networx services and OSS (Operational Support Systems) are defined, architected, implemented, and maintained in a manner consistent with National Institute of Standards and Technology guidance. Consistent with FIPS 199, Sprint will perform Business Impact Assessments of Networx information systems to ensure a cost-effective security program that protects the confidentiality, integrity, and availability of the Networx program. Sprint management, technical and operational security controls will meet the controls outlined in NIST Special Publication 800-53, Annex 1 as supplemented by all existing Page 870 March 5, 2007
information security controls implemented by Sprint for the FTS2001 Program. 7.1.3.1.1 Capabilities (L.34.1.6.3 (a)) Sprint implements firewall solutions of varying complexity to detect suspicious network activity and Agency policy violations. XXXXXXXXX XXXX XX XXX Our Premise-based and Network-based Firewall solutions are available in three sizes: Tier I protects up to 100 IP addresses and supports up to 10Mbps Tier II protects up to 1,000 IP addresses and supports up to 100 Mbps Tier IIl protects an unlimited number of IP addresses and supports up to 1Gbps. Premise-based Firewalls XXXXXXXXXXXXXXXXXXXXXXXXX Network-based Firewalls X XXX Page 871 March 5, 2007
XXXXX XXXXXXX Application/Proxy-based Firewalls XX XX XXX XXXXXXXXXXXX Firewall Software Maintenance XX XXXXXXXXXXXXXXXXXX Firewall Hardware Maintenance Sprint will comply with the RFP requirements for TTR and dispatch an engineer to the Government site when hardware fails. The Agency s POC will be notified immediately of any hardware failures. In the event that a failure occurs during non-business hours, the Government POC will determine when the engineer will gain access to the firewall. Out-of-Band Firewall Access All Sprint managed firewalls will require an encrypting modem attached to the firewall at the Government s premise. XXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXX Page 872 March 5, 2007
Event Notification Sprint will work with the Agency and determine critical and non-critical events in order to protect and ensure continued system functionality. The Government will be responsible for ensuring that the Sprint FMNSC has upto-date information on all points-of-contact. XXXXXXXXXXXXXXXXXXX XXX XXXXX XXX XXXXXXXXX Non-critical (Low) events include the following scenarios: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX Critical (Medium and High) include the following scenarios: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX Page 873 March 5, 2007
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXX Change Management Communication will be facilitated through the use of stringent change management procedures and Sprint s timely notification of firewall activity as X XXXXXXXXXXXXXXXXXX Page 874 March 5, 2007
Figure 7.1.3-1. Firewall Configuration and Policy Changes Tool XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Firewall Reporting Sprint will provide monthly performance, utilization, and configuration change reports to the Government. XXXXXXXXXXXXXXXXXXXXXXX X XX XXXXXXXXXXXXXXXXX Page 875 March 5, 2007
Figure 7.1.3-2. Managed Firewall Service Reporting XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX. XXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX X XXX Page 876 March 5, 2007
XXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7.1.3.1.2 Features (L.34.1.6.3 (a)) XXXXXXXXXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX XXXXXXX XXXXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXXX XXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX 7.1.3.1.3 Interfaces (L.34.1.6.3 (a)) Our MFS offerings are available for any IP network running on various transport services (e.g. FRS, ATMS, IPS, PBIP-VPNs, and NBIP-VPNs). 7.1.3.2 Exceeding Specified Service Requirements (L.34.1.6.3 (b)) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXX 7.1.3.2.1 Capabilities (L.34.1.6.3 (b)) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Page 877 March 5, 2007
7.1.3.2.2 Features (L.34.1.6.3 (b)) XX XXX XXXXXXXXXXXXXXXXXXXXXXX 7.1.3.2.3 Interfaces (L.34.1.6.3 (b)) XXXXXXXXXXXXXXXXXXXXXXXX 7.1.3.3 Network Modifications for Delivery of Service (L.34.1.6.3 (c)) Describe any modifications required to the network for delivery of the services. Assess the risk implications of these modifications. XX XXXXXXXXXXXXXXXXXXXXXX 7.1.3.4 Experience Delivering Services (L.34.1.6.3 (d)) Describe the offeror s experience (including major subcontractors) with delivering the Security Services listed in Table L.34.1-7 and described in Section C.2 Technical Requirements. XXXX XXX XX XXX Page 878 March 5, 2007
XXXXXXXXXXXXXXXXXXXXXXXXXXX In summary, Sprint provides overall management of an Agency s firewall infrastructure and is the Agency s single point of accountability for all firewall security operations, maintenance, and administration activities which enables an Agency to focus on key mission objectives. Our engineers provide a consultative approach and work with the Government to determine a firewall solution customized to an Agency s connectivity and security requirements. The resulting solution will mitigate risks, allow access to essential applications, and will help reduce network disruptions caused by hostile activity. XX XX X XXXXX XXXXXXXXX Page 879 March 5, 2007