Question & Answer Amendment for the Mainframe Security Auditing Software SSN Submission Deadline: Monday, June 22, 2015 - UNCHANGED Below highlighted in yellow - are the questions received in reply to the subject SSN and the FRTIB s responses to those questions - highlighted in gray: The mainframe (z/os) security auditing software shall: o Gather/collect system hardware and software information to create a baseline. o What types of systems and hardware are within scope of this requirement? All define OS hardware components and peripheral devices? All installed software on the system? o The FRTIB recognizes that different software solutions will/may be limited in what details can be collected for hardware and software. Our desire is to collect such information as to provide potential auditors with a baseline of the overall mainframe infrastructure including, to the best of the ability of the security auditing software, the type of hardware and the installed software. The basic list of hardware currently used includes, but is not limited to: IBM EC12 mainframe; IBM 3494 tape library; EMC VMAX 20K storage array; the basic list of software includes but is not limited to: z/os; FDR; CA-Top Secret (and other CA products); EMC storage software; and Compuware software. Automate audit and compliance reporting. o Automate in what manner? Is the requirement to be able to batch run on a scheduling system of predefined audit and compliance reports? Are these reports to be event triggered? What is the definition of audit and compliance reporting? Are there specific guidelines like PCI/DSS, DISA STIG or other specific events that are to be captured and reported on? o The DISA STIGs framework is used at the FRTIB. Automated reporting may include scheduled batch reports and ad-hoc, on-demand reporting. Monitor, track, and report on changes to started tasks. o Is this a real-time requirement or a post forensic type of requirement? Are alerts also required for critical started tasks should a change occur to it. Does this requirement apply to the underlying JCL/PROC/loadlibs the started task executes or the running task itself? o The monitoring, tracking, and reporting features will be used to report on and alert to changes to the JCL/PROCs/ & loadlibs of system level data sets & members, primarily through batch reporting. Monitor and report on privileged users to detect possible insider abuses and compliance violations. o What type of parameters constitute insider abuses? Can you provide a specific use case that identifies what type of activity is considered abusive? If an organization is invited in for a demonstration, this can be discussed at that time. o Compliance is a very broad category of violations can you define what compliance means specifically? Are there specific regulatory guidelines you are trying to adhere to like PCI/DSS, DISA STIG and what are they? If an organization is invited in for a demonstration, this can be discussed at that time.
Other desired features include: o Identify and report security weaknesses. What is considered a security weakness? Is there a set of definitions that describe the minimum acceptable level of security for the resources on the system? Examples of security weaknesses are: unprotected systems level datasets, changes to system level data sets and members, started tasks being stopped, etc. Part of our desire to explore different solution is that we will use the abilities of the selected tool to assist with defining potential weaknesses. Analyze and report activity to detect, prioritize, and remediate security risks. o What is the criteria for analysis to determine what a specific priority should be for a detected security risk event? Is remediation to be real-time and automated or is the requirement to provide a workflow capability to track, report on identified security risks from a project management perspective much like a service desk tool or source management type of tool would do for their respective areas? o We do not expect the security auditing tool to actually mediate security risks. If multiple risks are detected though a recommended prioritization report it is desired to assist with the mediation planning. o Please define what type of reporting is to be performed real-time? Is it just an alert on a console? A email to a predefined set of recipients? A report that is automatically triggered and routed somewhere? What is the scope of Security alert? Is there a set of predefined minimum levels that are acceptable and only if exceeded are to be reported on? o Reporting may be real-time to a monitored console, e-mailed alerts, automatic reports (via batch jobs) and ad-hoc reporting. The FRTIB recognizes that different tools/solutions may provide different capabilities and therefore wants to review all potential solutions. Monitor and report on system file (data set) usage. o What is the definition of system file (data set) usage? Is it who accessed it when? How many time over a given period? Does the level of usage matter for example if it was read from the file, write to the file, etc.? Is this a real-time need or a post forensic need? o This is a requirement to report on changes (who, what, when) to data sets such as (but not limited too) SYS1.PROCLIB, SYS1.PARMLIB, etc. We would expect that the FRTIB will be able to identify which datasets we want to monitor. Can we get more clarification on the section: Reliability, Availability, Maintainability: The Agency seeks to discover a software solution that is reliable, available, and maintainable in accordance with industry standard performance. We are unsure of what 'industry standard performance' FRTIB is referencing. o The term industry standard performance for this request is simply defined as a solution that will not consume inordinate resources (CPU, I/O cycles, memory, etc.) and will operate (produce reports, respond to ad-hoc queries, produce alerts) in a timely fashion.
Clarifying Note: In developing the desired requirements detailed below, the FRTIB attempted to use language and terms taken directly from the publically accessible web page of multiple solution providers. The FRTIB recognizes that not all terms equate directly to all solutions.
Sources Sought Notice: z/os Mainframe Security Auditing & Reporting Software for the Federal Retirement Thrift Investment Board NOTE: This Sources Sought Notice (SSN) is issued to obtain information and aid the Federal Retirement Thrift Investment Board s (FRTIB s) planning efforts. It is not a solicitation and shall not be considered as a commitment by the Government. All firms responding to this SSN are advised that submissions will not be considered as quotations, bids or offers eligible for contract award. Introduction: The FRTIB s Office of Technology Services (OTS) seeks to obtain capability statements, information and a free capabilities demonstration of Mainframe Security Auditing & Reporting software to provide internal auditing and reporting capabilities for the FRTIB s mainframe. Information regarding desired software capabilities may be found in Appendix A. Appendix B provides a brief overview of existing hardware and software infrastructure. The FRTIB invites potential respondents to provide information detailing any baseline requirements for implementation of their software within submissions. This document requests vendor information along with software capabilities, installation, integration, training, and support information. The FRTIB will review responses received and may contact qualified submitters to arrange a capability demonstration. Following the conclusion of all market research and requirement definition activities, if the FRTIB determines that a defined need exists it will issue an appropriate solicitation with anticipated contract award and implementation of the Auditing software beginning during the Fall/Winter of 2015. Questions regarding this SSN must be submitted to the Contracting Officer Ms. H. Elease Sanders solely via e-mail by sending a message to Elease.Sanders@tsp.gov by 11:59 p.m. E.T. on Monday, June 8, 2015. Interested parties must submit formal responses to this SSN solely via e-mail by sending a message to Elease.Sanders@tsp.gov by 11:59 p.m. E.T. on Monday, June 22, 2015. Late submissions will not be considered unless doing so is determined to be in the best interest of the FRTIB. Training Requirements: Please make your recommendations for Agency (contractor staff and FRTIB employees) training for 7 to 12 administrators (systems programmers, security administrators, and management). Demonstration: Developers and authorized resellers shall propose a plan for further explaining the capabilities of qualified offered products during a capability demonstration. Respondents invited to participate in on-site demonstrations shall have 120 minutes to provide a capability demonstration that, while not viewed as an oral presentation as defined within FAR 15, displays system functionality to illustrate, how the offered solution satisfies the identified requirement and explains how the product shall be purchased and set-up in order to achieve the stated functionality.
Prices: Submitted price and cost information must include amounts for all material (e.g., user manuals), software, user licenses, recommended maintenance and recommended training as individual line items along with pricing for ongoing hosting fees, if any. Reliability, Availability, Maintainability: The Agency seeks to discover a software solution that is reliable, available, and maintainable in accordance with industry standard performance. Appendix A: The mainframe (z/os) security auditing software shall: o Be compatible with CA-TopSecret. o Gather/collect system hardware and software information to create a baseline. o Document, track and monitor the current baseline and system library changes. o Automate audit and compliance reporting. o Operate under z/os 1.12, 1.13, 2.1 and future expected releases. o Monitor, track, and report on changes to privileged programs. o Monitor, track, and report on changes to started tasks. o Monitor and report on privileged users to detect possible insider abuses and compliance violations. Other desired features include: o Identify and report security weaknesses. o Analyze and report activity to detect, prioritize, and remediate security risks. o Report real-time security alerts. o Monitor and report on system file (data set) usage. Appendix B: The FRTIB basic mainframe infrastructure is comprised of an IBM zec12 2827-H43, Model 703 mainframe in the primary data center and an IBM zbc12 2828-H06, Model A01 at the alternate site. The alternate site is for disaster recovery (DR) and DR testing only. The operating system is z/os. CA-TopSecret is used for access control and security. Major applications include: CICS, DB2, Oracle, and OMNI applications.