Cherokee Nation Security & Defense, LLC
Cherokee Nation Security & Defense Enterprise Asset Management System
RFP Document
November 12, 2014
RFP Document
1.0 Introduction...... 3 1.1 COMPANY...... 3 1.2 CONTACT...... 3 1.3 PROJECT OBJECTIVE...... 4 1.4 PROJECT ASSUMPTIONS...... 13 1.5 PROJECT TEAM AND RESPONSIBILITIES...... 15 1.6 PROJECT RESOURCES FORECAST...... 17 2.0 RFP General Information...... 17 2.1 RFP OVERVIEW...... 17 2.2 RFP FORMAT...... 18 2.3 RFP TIMETABLE...... 18 2.4 VENDOR CHARACTERISTICS...... 18 2.5 CONTRACTUAL ISSUES...... 19 2.6 SECURITY AND CONTROL...... 19 2.7 TRAINING...... 19 2.8 DOCUMENTATION...... 19 2.9 DESIGN APPROACH AND STRATEGY...... 19 2.10 ROLES AND RESPONSIBILITIES...... 19 2.11 REJECTION OF BIDS...... 20 3.0 Current State...... 20 4.0 Vendor’s Response to RFP...... 20 4.1 FORMAT OF VENDOR’S RESPONSE...... 20 4.2 INTRODUCTION AND VENDOR BACKGROUND...... 20 4.3 DESIGN APPROACH...... 22 4.4 TRAINING EXPERIENCE...... 22 4.5 PROJECT COSTS...... 22 4.6 SECURITY QUESTIONNAIRE...... 22 4.7 SYSTEM TOPOLOGY / APPLICATION FLOW...... 22 4.8 RFP CERTIFICATION...... 23 5.0 Definitions...... 24 6.0 Business Relationship/Non-Disclosure...... 26 7.0 General Security Questionnaire for System Applications………………………………………………………………… 35
Page 2
1.0 Introduction
1.1 Company
Cherokee Nation Businesses, L.L.C. (CNB) is wholly owned by the Cherokee Nation, the nation's second largest Indian tribe. CNB, the economic engine of the Cherokee Nation, owns companies in the gaming, hospitality, personnel services, distribution, aerospace, manufacturing, telecommunications, technology services, medical equipment, security and defense services, construction and environmental services industries. These businesses have annual revenues of over $700 million and over $100 million in profits. CNB continues to grow and expects to acquire new businesses in the future.
Cherokee Nation Security & Defense (CNSD), a subsidiary of CNB, was created to provide quality employment opportunities for citizens of the Cherokee Nation within an organization that provides state-of-the-art critical site infrastructure protection, security surveillance services, and access control technologies to both government and commercial clients.
1.2 Contact
All questions related to this document should be directed by email to Hossam Azar at the following address: [email protected]
Page 3
1.3 Project Objective
1.31 Overview
The Federal government recently awarded Cherokee Nation Security & Defense (CNSD) a contract to manage its equipment asset inventory. Equipment assets include all access control, intrusion detection and video surveillance systems. CNSD is using multiple spreadsheets to capture the inventory during the first year of the contract while they locate and implement a new software solution. CNSD is responsible for 450 locations. In the future, CNSD expects the solution to support multiple government contracts managing asset inventories.
CNSD is building equipment lists of security cameras, DVRs, servers, airport x-ray equipment, and other IT equipment. The government contract requires specific fields be tracked on all equipment types. CNSD has yet to find all required features on any COTS. CNSD requires a customized solution to meet its contractual obligations.
CNSD seeks an Enterprise Asset Management (EAM) system to manage IT security assets that are government owned. The EAM must support multiple contracts that track assets, warranties, service order calls, preventative maintenance and scheduling, service/maintenance hours spent, and repair parts used on equipment assets. In addition, the desired solution must meet application and data security requirements.
1.32 Business Objective:
Select and implement an Enterprise Asset Management System that:
Streamlines report based CDRL’s (Contractor Data Requirements List) reducing time and cost, currently 60-80 hours per month. Provides inventory reporting to give customers proper asset information for forecasting/planning and determining growth or reduction of resources. Eliminates manual processes of reporting and data entry. Tracks all active, pending, and completed work orders on maintenance, warranty, repair, and support. Delivers accurate and timely reports to customer. Provides efficient management of CNSD resources, work orders, and contracts. Provides ability to add 15-20 sites to the EAM system per month after implementation.
1.33 Business Rules
ID Description BR-1 The contract requires CNSD to report the material of all parts used on equipment assets. BR-2 The solution shall provide tracking an employee’s certification and security clearances. BR-3 The solution shall provide a service call database for all work performed on equipment assets and report completed service/work orders to the government representative. BR-4 The solution shall provide the types of work performed on equipment assets on a Service Order, such as preventative maintenance, warranty, repair, upgrades/enhancements, new installations, inspections, and technical support. BR-5 The solution shall use a default date, such as Contract Date, on existing
Page 4
ID Description equipment assets when the exact date field is unknown, while all new equipment shall have a date not in the future. The field shall be required. BR-6 The solution shall log the name and date of the technician who added or modified an equipment asset for auditing purposes. BR-7 The solution shall allow CNSD to manage the service order status to understand the work required to completion.
1.34 Business Requirements
ID Description R-1 The solution shall use a default date, such as Contract Date, on existing equipment assets when the exact date field is unknown, while all new equipment shall have a date not in the future. The field shall be required. R-2 The solution shall log the name and date of the technician who added or modified an equipment asset for auditing purposes. R-3 The solution shall allow CNSD to manage the service order status to understand the work required to completion.
1.35 EAM Features
ID Description Priority FE-1 Prefer a hierarchical structure beginning with Contract, Zone, Site, High and then Site Location Area. FE-2 Equipment asset inventory containing IT security equipment. BR-3. High FE-3 Spare parts asset inventory used in the repair, maintenance, and High installation of equipment assets. FE-4 Tool for scheduling preventative maintenance on equipment High assets. FE-5 Ability to manage equipment warranties. Medium FE-6 Ability to manage service orders on equipment assets. High FE-7 Ability to manage employee information, such as name, phone, Low certifications, employee role, and their assigned work zone. FE-8 Integrate employee time and labor performed on equipment Low service orders with Deltek Time & Expense. FE-9 Track preventative maintenance plans and service histories on High each equipment asset. FE-10 Create a comprehensive reference library of uploaded documents Low for employees, equipment assets, contract requirements, part assets, warranties, and equipment manuals. FE-11 Provide managing a site's point of contact person, site name, its Medium zone, site location and description. FE-12 Standard and customizable reports. See table 1.37 Standard High Reports. FE-13 Functionality to manage its basic Contract information it must Medium perform for another. FE-14 Logging the employee name and date/time that added or edited Low assets for audit purposes. FE-15 Provide mobile device accessibility with all solution functionality. Low FE-16 Support kitting of spare parts used on equipment assets. Medium FE-17 Provide data security access controls using two-factor Low authentication other than on the device. FE-18 Ability to add custom fields to database and forms. High
Page 5
1.36 Data Requirements
The solution must provide field-level requirements. A vendor may provide additional or similar Objects (entities) and fields not listed below. An asterisk (*) denotes required fields. CRUD codes used below represent Create, Read, Update, and Delete functionality.
DD-1: Equipment Asset
Obje ct Equipment Asset Nam e: Desc ripti A government IT security asset managed by CNSD. Required in monthly reports. on: Fun ctio Admin can CRUD equipment assets. n(s): Employee can CRU equipment assets. Device Type [List]* Device Sub-Type * Model * Model Number * Serial Number Equipment Description * ( text field, 200 char) Fiber/Coax (fiber OR coax?) Install Date * Data In Service (Yes/No/Unknown) : Operable (Yes/No/Unknown) Equipment Status [List] OEM * MCE ID Comments Within Specs (Yes, No, Unknown) Recommended Action ( text field, 200 char) Audit Logging * Doc Storage about Object R-1, R-2 Rule s: Related Object: Equipment Storage, Warranty, Device Type, Preventative Maintenance, Service Order, and Inspection. DD-2: Equipment Status
Obje ct Equipment Status Nam e: Desc As listed by IRS in contract.
Page 6
ripti on: Fun ctio Select ONE from pick list. n(s): Data : Operational, Non-Operational, Damaged, Missing Rule s: Related Object: Equipment Asset
DD-3: Warranty
Obje ct Warranty Nam e: Desc ripti Information about equipment asset warranties. on: Fun Completed by Technician or Admin. ctio Technician – CR n(s): Admin - CRU Warranty Start Date * Data Warranty End Date * : Document Storage about Entity Warranty contact name, phone, company name Warranty Type (Select One: Parts Only, Parts & Labor) * Rule s: Related Object: Equipment Asset
DD-4: Maintenance Plan
Obje ct Maintenance Plan Nam e: Desc ripti Includes required fields to report monthly on equipment asset. on: Fun ctio Admin – CRUD, Technician – CRU n(s): Last Service Date * Next Service Date * Data Comments : Time Maintenance Interval * [Select One: Month, Quarter, Semi-Annual, Annual] Usage Maintenance Interval * [miles, hours]
Page 7
Rule R-1 s: Related Object: Equipment Asset Rule s: Related Object: Equipment
DD-5: Device Type
Obje ct Device Type Nam e: Desc ripti Device Type determines the task order list performed on each equipment type on: Fun ctio Select from pick list n(s): Card Access-Intrusion Detection Security Operations Center CCTV Matrix Badge Encoder Fiber Optic Transmitter Data CCTC Monitor : Pre-Processor Unit PTZ CCTV Camera Tape Back-up Emergency Call Station RTU Panel Fixed CCTV Camera Dedicated Micros Rule s: Related Object: Equipment
DD-6: Part Asset
Obje ct Part Asset Nam e: Desc Part Assets are spare part inventory items installed on equipment assets. Part ripti Assets may be bundled in a Kit and will be stored at multiple site locations. on: Fun ctio Admins can CRUD part assets. Technicians can CRU part assets. n(s): Data Part Name * : Part Serial Number Part Description Quantity *
Page 8
Part Material * [See List] Unit Cost* Manufacture Place* Reorder Level Min Stock Level Max Stock Level Original Price Part Supplier Kit Number Kit Value Doc Storage for Entity Zone* Site* Rule Kit Value = sum amount of all parts in a kit. s: Zero to many parts may be used on an equipment asset which is listed on a Service Order. DD-7: Part Material
Obje ct Part Material Nam e: Desc Part material options as defined in the contract regarding the material origin of ripti parts used on equipment assets. on: Fun ctio Select One per part. n(s): New Reconditioned Data Recovered Material : Remanufactured Virgin Material Used Manufactured End Product Rule BR-1 s: Related Object: Part Asset DD-8: Employee
Obje ct Employee Nam e:
Desc An employee of CNSD. Required to maintain employee information on full-time ripti or contract workers located at a Site. Required to store and report information on: on an employee’s certifications, experience, and security clearances, if requested.
Fun Employee name, and employee ID must integrate with Deltek. ctio
Page 9
n(s): Employee Name Employee Phone Employee Email Data Employee Type [Employee OR Sub-contractor] : Employee Certifications (0:M) Employee Title Employee Security Clearance Level Doc Storage Items for Entity Rule s: BR-2
DD-9: Employee Labor
Obje ct Employee Labor Nam e: Desc An employee’s labor associated with start/end/wait date/time on a work order ripti along with the total site hours and overtime. on: Fun ctio Entered on a Service Work Order and transmitted to Deltek Time & Expense. n(s): Labor Date Labor Start Time Labor End Time Data Labor Wait Time : Travel Time Total Site Hours Overtime/Emergency/Holiday Hours Specialty Labor Hours Comments (memo, 200 chars) Rule s: Related Object: Employee
DD-10: Service/Work Order
Obje ct Service Order Nam e:
Desc A form containing work performed on an equipment asset. Must also be a ripti standard report. Required to document all service calls and retain history on: records of such.
Fun ctio An Employee can CRU. An Admin can CRUD. n(s): Data Urgency Level * [List]
Page 10
Order Type * [List] Report Date * Request Date Order Status * : Part ID Comments RMA Number Recommended Action Doc Storage items for Entity BR-3 Rule Related Object: s: Order Type, Order Status, Equipment Asset, Part Asset, Site Location Area, Employee DD-11: Order Type
Obje ct Order Type Nam e: Desc A description of types of work performed on equipment and listed on a Service ripti Order on: Fun ctio Required: Select One from a pick list n(s): Preventative Maintenance Warranty Data Repair : Upgrade/Enhancement New Install Tech Support Inspection Rule s: BR-4
DD-12: Order Status
Obje ct Order Status Nam e: Desc Allows CNSD to manage Service Orders and know where the work required to ripti completion stands. on: Fun ctio Required: Select One from the pick list n(s): Data Assigned : In-progress Pending
Page 11
Closed (Completed) Cancel Deferred Rule R-3 s: Related Object: Service Order.
DD- 13: Zone
Obje ct Zone Nam e: Desc A geographical area defined by the customer, which each zone containing many ripti Sites. AKA Region. on: Fun ctio Admin can CRUD. n(s):
Data Zone Name * : Site * (1:M) Task Order (1:M) Rule s: Related Object: Site
DD-13: Site
Obje ct Site Nam e: Desc ripti A physical location where CNSD will manage its contract’s equipment assets. on: Fun ctio Admin can CRUD. n(s):
Data Site Name * : Zone or Region * Address * Rule s: Related Objects: Contract, Site Contact, Site Location Area
DD-14: Site Location Area
Obje ct Site Location Area Nam e:
Page 12
Desc ripti Represents a specific location within a Site on: Fun ctio Admin can CRU n(s):
Data Site Location Name * : Location Description * Building Rule s: Related Object: Site, Employee, Service Order, Equipment Asset, Part Asset
DD-15: Site Contact
Obje ct Site Contact Nam e: Desc The point-of-contact person(s) at each Site, who is a government employee ripti identified in the contract that CNSD must provide reports. on: Fun ctio Admin can CRUD n(s): SC Name * Data SC Phone * : SC Email SC Title Rule A site has one to many site contacts. s: Related Object: Site DD-16: Contract
Obje ct Contract Nam e: Desc ripti Store basic information about the contract on: Fun ctio Admin can CRUD n(s): Contract Name Data Contract Number : Contract Start Contract End Rule s: Related Object: Site, Customer
Page 13
DD-17: Customer
Obje ct Customer Nam e: Describes the customer defined in the contract by its common name, such as IRS. Desc In addition, allows for identifying the name of the Agency Owner who may not be ripti the contracted customer, but is the Owner of an equipment asset. CNSD must on: ensure it performs work only for its contracted customer.
Fun ctio Admin can CRUD items n(s): Data Customer Name * : Agency Owner Rule s: Related Object: Contract
1.37 Standard Reports
ID Report Name Report Description REP-1 Service Order Displays work performed on an equipment asset. Must submit report on all Closed service orders within two business days. REP-2 Accomplishments Displays equipment added or deleted in the EAM during a time range. Submit Monthly. REP-3 Progress Report Include and display recent service call summary and preventative maintenance upcoming schedule. REP-4 Security Equipment Display form containing checklist items based upon the Check Sheet equipment’s Device Type. Submit Monthly. REP-5 Security Equipment Display form of equipment filtered by recent service dates. Maintenance Logs Submit Monthly. REP-6 Preventative Display equipment-having PM performed by a date range. Maintenance (PM) Submit Monthly. Accomplishments REP-7 PM Plan Display equipment designated to have PM performed within a timeframe. Submit Monthly. REP-8 PM Deferments Display equipment placed on Deferred status found during PM. REP-9 Equipment Condition Display all equipment that is not operational, its defect, Report and timeframe to work completion. Submit Monthly. REP-10 Equipment Inventory Display all equipment filtered by site, status, and date range.
1.38 Project Management
CNB understands each vendor will bring its own methodology to the project, however, the EAM project must include: Configuration Evaluation/Design Documentation of Business Processes, including Business Process Flows
Page 14
Improvement recommendations Planning Training (materials and hands-on training)
1.39 Key Deliverables
Documented future-state processes based on best practices Installation/Configuration of Enterprise Asset Management System Training o Functional training for pre-selected employees o Online training opportunities within the solution based on each functional system area Technical Support Project plan including milestones and completion date Maintenance Agreement
1.40 Project Completion Criteria:
CNSD management and IT management agree on a plan of action to accomplish system functionality and approve the system implementation. CNSD management reviewed for data accuracy, the implementation plan documented, and a fully configured system in operation. All customizations fully documented and transitioned to CNB IT support personnel. CNSD management sign-off on documentation, the project plan, and a functioning system in place.
1.4 Project Assumptions
1.41 Assumptions
ID Description AS-1 Vendor shall integrate existing spreadsheet data of IT security assets into the solution. AS-2 Provide role-based security within the solution. AS-3 The solution shall be compatible with mobile devices, such as smart phones and tablets. AS-4 The solution shall be available 99.9 percent uptime. AS-5 The solution shall use the English language. AS-6 Vendor shall provide planned system maintenance notification at least one week in advance. AS-7 The solution shall function with multiple operating systems, such as Windows 7 and 8, iOS8. AS-8 The solution shall be cross-browser compatible, such as IE8 and above, Safari, Chrome, and Fire Fox. AS-9 The solution shall be available 24 hours, 7 days per week, 365 days per year. AS-10 The Vendor shall be available for technical support 24 hours 7 days per week. AS-11 The Vendor shall provide CNB a Disaster Recovery Plan (DCP) to assist CNSD in notifying its customers of any adverse incident for the system. AS-12 Capability of data restores must occur within 24-hours of calendar time of system failure.
Page 15
ID Description AS-13 CNB must be able to contact vendor direct for timely issue resolution and escalation, as needed. AS-14 The English language shall be the official language used for communication concerning this project. AS-13 United States currency shall be the official currency concerning this project. AS-14 The solution will include Employee scheduling and items listed in DD-9, but Deltek will remain the main Human Resource application.
1.42 Dependencies
ID Description DE-1 Interface solution with AD for employee authentication to CNB/CNSD owned equipment. DE-2 Interface solution with Deltek Time & Expense to communicate employee information such as type, time, labor, and skills.
1.43 Technical
System must provide audit logging for all actions. System must auto-logoff after 30 minutes of inactivity. System must provide offline data entry. If solution is on premise, the system must support server virtualization, running on supported version of Microsoft server software. It must also support a robust integrated SQL database that will be centralized supporting all locations and business units. If solution is on premise, hardware for the production/test environment will be setup by CNSD and/or Enterprise Asset Management System will be setup by implementation vendor and CNSD. Also, CNSD will purchase any hardware requirement for production/test environments. Backup/recovery procedures will be performed by CNSD throughout the project to avoid loss of data. The capability for database restores to occur within 24 hours of calendar time of system failure will be in place The application must run over a wide area network (WAN). Timely access to the network and hardware environment will be provided by CNSD to the project team 24/7 to troubleshoot and resolve technology issues. CNSD should be able to contact vendor for timely issue resolution and escalation, as needed. System should offer quarterly system updates or patches, as required to address critical system issues.
1.44 Critical Success Factors
Prompt resolution of issues and decisions Project deadlines met Harmonious relationships maintained among the project teams Top management support of the project team and implementation Committed project team of subject matter experts, augmented by business owners and IT personnel where necessary Clearly assigned accountability for project tasks
Page 16
Sufficient resources with appropriate segregation of duties committed to the project Timely Status updates by all team members Structured Change Management Process Timely escalation of issues and missed project due dates Committed Sponsorship
1.45 Quality Assurance
To ensure that the project team is executing the proposed project plan as submitted, CNSD retains the right to review and cancel the agreement after the project begins. In that event, CNSD will pay all reasonable and documented vendor costs in accordance with CNB’s Travel and Expense Policy up through the termination date with no further liability to vendor.
CNSD retains the right to request replacement team members from the vendor and have a team member changed in a timely manner.
The functional design and implementation plan requires the Business Owner and the Technical Owner to sign-off prior to completion of the design project.
Project status including work complete, estimated time to completion, and missed due dates must be delivered to the steering committee on a weekly basis throughout the length of the project.
An issue log must be created and maintained and a status report must be delivered weekly with number of issues resolved and new issues added.
A Change Management process must be established with clear guidelines for requesting a change, approval necessary for change to be implemented, responsibility for change timeline, and determination of successful completion.
1.46 Risk Analysis Summary
Risks for the design and implementation of the EAM system project include missing key deadlines and extending the implementation timeline. Risks and their potential impact should be identified in the design strategy. Documentation should cover both the impact of selecting or rejecting the design and implementation impacts. Risk assessment must recognize CNSD staff may or may not be knowledgeable in EAM system selected and guidance should be provided in risk issue identification. Additional Business Risks listed below:
ID Description BR-1 Solution must include specific fields required by government customer to manage assets and reporting requirements or the government customer can opt not to pay for services rendered by CNSD.
Page 17
1.5 Project Team and Responsibilities
The Project Team will be vital to the overall project success. CNSD will assign the appropriate resources to meet the agreed upon schedule and deliverables.
To ensure that the project is on schedule and work is completed, weekly status meetings will be required from the Project Team and weekly status reports submitted to the appropriate project manager. Project status includes project outlook, brief overview, completion of assigned issues/deliverables, items that were planned but not accomplished, miscellaneous items, issues and concerns, key activities planned for the next week, and key dates, including time off. All issues/deliverables that have been noted as completed must be approved by the Business Owner and submitted at weekly status meetings for review and project team approval.
The following matrix outlines the roles and their responsibilities; team members will be identified prior to start of work.
Roles Responsibilities Project Partner(s) / CNSD Executive(s) affected by each project will provide project Project Sponsor approval, project funding, direction, sponsorship, and timely problem resolution.
The project partner(s) and project sponsor will receive the weekly Project Executive Status Report and may periodically attend the steering council meetings. CNB IT Project Manager Responsible for the project plan, documenting meeting minutes and decisions, escalating issues and coordinating the utilization and proactive participation of the business resources, both within the project team and those involved outside the project team.
Work closely with Implementation Partner in updating the overall project plan. Project Consultant Responsible for the overall success of the project by ensuring that the business requirements are fulfilled while facilitating documented process design, process changes, policy and procedures, testing, and training. CNB Business Owners Each major department or business entity affected by the project will assign a business owner that is responsible for assigning the correct business process specialists, making sure policy and procedures are completed and reviewed, ensuring high and dedicated performance from their assigned team members, and providing direction and guidance to their team members in the design and implementation phase. CNSD Subject Matter Each major department or business entity affected will assign the Experts (SMEs) necessary team members to participate in the implementation effort. These individuals are specialized in one area or process and must have overall knowledge of the current processes, policy and procedures, etc to provide insight into current state design, future state design and completing assigned tasks in a timely manner. They may also assist with employee self-service training. Business Project Responsible for ensuring the correct personnel are available and Improvement Owner performing to high and dedicated performance levels, as well as ensuring the current state/future state tasks are effective and remain
Page 18
on schedule Business Process Responsible for leading current state, future state design sessions, Specialists/Managers documenting process flows, business decisions, and gaining consensus on business processes. CNSD Technical Owner Responsible for assigning the correct technical team, ensuring technical infrastructure and system uptime meets operational requirements, ensuring dedicated performance from their assigned team members, and providing direction and guidance to their team members during the implementation process. CNSD Technical Analyst Designated IT personnel who will perform hardware, architecture and network setup. Participate in the infrastructure review, in the business process documentation, in the implementation strategy, perform necessary development and assist with security design.
1.6 Project Resources Forecast
1.61 Hardware
CNSD will provide computers and phone access for all project team members. CNSD will provide access to printers for all project team members.
1.62 Software
It is assumed that CNSD project managers will have access to Microsoft Project. All CNSD project team members will have access to Microsoft Word, Excel, and PowerPoint. All CNSD and contractor project team members will have access to CNSD email (mainly for scheduling).
1.63 Office Space
CNSD will provide a dedicated work environment for the project team throughout all of the phases of the implementation project. This includes workspace, meeting rooms and training space.
1.64 Security
This work environment will include access to the appropriate CNSD environment, applications, networks, printers and other peripheral devices needed during the project. Contractors will have 24/7 access to workspace, including access to physical facilities if needed, and applicable environments for the duration of the design and implementation.
1.65 Outside Access
CNSD will provide access to Internet and contractor networks, websites, and databases.
Page 19
2.0 RFP General Information
2.1 RFP Overview
The goal of this Request for Proposal (RFP) is to determine if your services meet the functional and technical needs of CNB. Please feel free to submit any additional information you deem appropriate for this project.
Any CD-ROM/disk, and/or user documentation submitted with your proposal will be returned upon written request. All other materials provided will become the property of CNB and will not be returned to the vendor.
RFP submission is: Return bids are due no later than December 3, 2014 at 5:00PM and can be returned via email to Hossam Azar @[email protected]. Bid responses will be held valid for 180 days from the December 3, 2014 due date. The attached “Vendor Security Questionnaire” document must be filled out in its entirety and returned via email with bid prior to bid closing date. Failure to return a copy of the Vendor Security Questionnaire document with all questions answered with bid prior to bid closing will result in disqualification of bid. Any questions must be submitted via email. No verbal questions will be responded to.
RFP responses should include all requested information. This information will be held in confidence and will not be made available to other vendors. Likewise, the vendor agrees to hold in confidence any and all information included in this RFP and will not disclose to a third party any part of this RFP, except as necessary to generate a response to this RFP. CNSD reserves the right to issue one award, multiple awards or reject any or all responses. CNSD reserves the right to make partial awards, to award all work, to reject any and all bids, to waive any and all bid document requirements and to negotiate contract terms with the successful bidder, and the right to disregard all nonconforming, nonresponsive or conditional bids. Discrepancies between words and figures will be resolved in favor of words. Discrepancies between the indicated sum of any column of figures and the correct sum thereof will be resolved in favor of the correct sum. The vendor is responsible for all costs they incur in preparing their response to this RFP. The vendor may be asked to present their response on-site. Any questions regarding this RFP should be communicated via e-mail to Hossam [email protected]. A response will be returned as well as a copy of your question and its response will be posted on the Cherokeebids.org website within one business day or as soon as practicable.
2.2 RFP Format
This RFP is distributed to selected vendors with the document name: CNSD EAM RFP
2.3 RFP Timetable
The timetable below is subject to change, but if any modifications to the project time schedule are made, they will be communicated to all bidders in a timely manner. December 3, 2014 – Bid Responses Due to CNSD
Page 20
December 4, 2014 through December 30, 2014 – Vendor de-scope/interviews/system demos with CNSD project team December 31, 2014 - CNSD Final Selection January 2015 – Begin Contract Negotiation 2.4 Vendor Characteristics
Outlined below, not necessarily in order of importance, are the high-level descriptions of criteria that will be looked for in evaluating proposals.
Successfully implemented an Enterprise Asset Management System. Have a reputation for financial stability and operate a well-established and stable organization Demonstrate an approach and design methodology compatible with the approach outlined in this document CNSD’s preference is a vendor with significant multiple company experience and clients Have a collaborative mindset that enables CNSD to effectively implement and support the process/application
2.5 Contractual Issues
Upon award, Cherokee Nation Security & Defense and the vendor will negotiate a Consulting Services Agreement, Software License Agreement, Software Maintenance and/or Usage Agreement, as applicable, to arrive at mutually agreeable terms and conditions. All work products after award will become the property of CNSD. Vendor must contractually commit to all statements made in their RFP response. All statements in this document are considered in scope even if not identified in vendor documents.
2.6 Security and Control
Specifications are included that summarize the level of security for confidential and sensitive information in applications and functions. Define what controls are provided to ensure the integrity and protection of data within the system.
2.7 Training
Create customized training manual in PDF for CNSD staff by vendor. Vendor to provide hands-on system training for all CNSD staff and internal IT support prior to go-live. 2.8 Documentation
Vendor must provide complete and thorough documentation that addresses any technical, configuration, development or functional change to the system. All customizations must be documented by vendor. All process and workflow creation/changes must be documented. In addition to change justification, the documentation must include a step by step change analysis with visual examples where appropriate. All changes must be mutually agreed to between vendor and CNB/CNSD.
Page 21
2.9 Design Approach and Strategy
Each potential vendor must describe in detail their design approach and strategy including a list of the key advantages of their methodology. In addition, the vendor must describe the deployment strategies for the automation of manual processes.
2.10 Roles and Responsibilities
Each vendor must define the expected roles and responsibilities of their project team. This should be presented in table format indicating roles with their projected timeline.
2.11 Rejection of Bids
CNSD reserves the right to reject any and all bids when such rejection is in the best interest of CNSD. All bids are received subject to this stipulation and CNSD reserves the right to decide which bid shall be deemed lowest and best. A violation of any of the following provisions by the bidder shall be sufficient reason for rejecting his bid, or shall make any Contract between CNSD and the Contractor that is based on his bid null and void: (i) divulging the information in said sealed bid to any person, other than those having a financial interest with him in said bid, until after bids have been opened; (ii) submission of a bid which is incomplete, unbalanced, obscure, incorrect, or which has conditional clauses, additions, or irregularities of any kind; (iii) which is not in compliance with this RFP; or (iv) which is made in collusion with another bidder. The foregoing list is non- exhaustive and CNB reserves the right to reject a bid or nullify any Contract between CNSD and the bidder that is based on his bid for any other reason it deems is in the best interest of the CNSD.
3.0 Current State
3.1 Enterprise Asset Management System (EAM) currently in use
CNSD does not currently utilize an EAM. Most information is currently kept in Microsoft Excel documents.
4.0 Vendor’s Response to RFP
4.1 Format of Vendor’s Response
Please follow the format described below. The RFP responses are to be submitted to Hossam Azar at the e-mail address provided in section 2.1 above. Responses to this RFP should address how all deliverables, features and requirements listed in the RFP shall be met. Where applicable, include which features/deliverables/requirements are standard, optional, or require a customization. Failing to include all documents may result in a disqualification of the RFP. CNSD may include the vendor's response to this RFP as an addendum to any potential contract.
Page 22
4.2 Introduction and Vendor Background
Please complete the following questions to provide CNSD with a thorough understanding of your company’s history and background. Tables are used to facilitate analysis of each vendor's product by standardizing the format of responses to each question. In the tables below, please answer all questions using the blank section under each question.
4.21 Management Summary
Present the overall scope and projected cost of the proposed implementation effort, detailed by product. It should include a brief summary of the strategy in non-technical terms. It should also state specific reasons why the vendor's proposal best satisfies the needs of CNSD.
4.22 Annual Report
Provide a copy of the vendor's most recent annual report, if a public company. If an annual report is provided please reference it below as an attachment to this RFP; otherwise, a statement of financial stability by the vendor's independent auditors will be adequate.
4.23 Organization Chart
Present a company organizational chart or other appropriate information to indicate the organization's ability to support the installation and maintenance and adapt to staffing changes.
4.24 Principals
Identify the principals of the organization who would be responsible for overseeing all aspects of the proposed implementation.
4.25 Implementations
Provide a list of the two most recent implementations. Included in this list should be a brief description of the functional enhancements and timelines for the implementation.
4.26 Team Members
Provide names and resumes of all key personnel and the proposed project team members for review.
4.27 References
Please identify three references that CNB can contact to discuss their project. In addition, please provide a list of customers comparable to CNB.
Page 23
4.28 Vendor Questionnaire
Information Requested Response Company Name: Year Founded: Number of Employees: Number of Offices: Primary Geographic Market Area: Primary Industry Market: Number of Years Implementing EAM: Number of Current/Past Clients Using this Version of the Software:
4.29 RFP Contact Please provide the name, title, address and phone number of the person with whom all contact should be made concerning your response to the RFP.
4.3 Design Approach
Please provide any additional information regarding your design experience for companies with similar challenges as CNSD. Tables are used to facilitate analysis of each vendor's product by standardizing the format of responses to each question.
4.31 Design Experience
Describe what services are typically provided by you, the vendor, during the analysis and design processes.
Describe the approximate staffing, by skill level, which you would recommend to assess, design, and implement both the functional and technical aspects of the implementation.
Describe the approximate staffing and time commitment you suggest CNSD provide to assess and design the EAM system. Identify the number of personnel and skill level required by task.
4.4 Training Experience
Describe all available training programs. Include name, description, objectives and training method.
4.5 Project Costs
Vendor should provide hourly rates for their respective personnel. Please provide in detail a description and cost of the proposed evaluation, design, and upgrade project. These costs should include defining/implementing best practice business processes, analysis and design, testing, etc. A
Page 24
total estimation of time and cost is also required. It is possible that a de-scope meeting or clarifications be obtained after review of bid submission and bidder should be prepared to be responsive in accordance with the timeline provided. 4.6 Security Questionnaire
Vendor must complete Security Questionnaire as part of RFP.
4.7 System Topology / Application Flow
Vendor must provide system topology map and application flow as part of RFP.
4.8 RFP Certification
The vendor must certify to the accuracy and completeness of all information included as a response to this RFP. In the space below, please include the signature and title of the principal in your organization with the authority to represent your products and the contents of your proposal. Printed name:
Signature:
Title:
Date:
Page 25
5.0 Definitions
Term Description AD Active Directory
Agency Owner The owner of the equipment asset, who is not a party to the Contract. CNSD must ensure it performs work only for its contracted customer.
CDRL Contractor data requirements list
CMMS Computerized maintenance management system.
CNB Cherokee Nation Businesses, the parent company of CNSD. CNSD Cherokee Nation Security & Defense is part of the CNB family of companies. Contract A formal and legally binding agreement between a government agency and CNSD.
COTS Commercial-off-the-shelf-software
CRUD Acronym for Create, Read, Update or Delete functionality on specific fields. Customer Describes the customer defined in the contract by its common name, such as IRS.
Deliverable Any measurable, tangible, verifiable outcome, result, or item that must be produced to complete a project or part of a project Device Type Equipment’s Device Type determines the task order list performed on each equipment type. EAM Enterprise Asset Management. The whole life optimal management of the physical assets of an organization to maximize value.
Employee A direct CNSD employee or its employee type, contractor, who is assigned a zone to manage equipment assets. Employee Labor An employee who provides service and charges their time worked on equipment assets. Equipment Asset A government owned IT security asset being managed by CNSD in this project. Equipment Status Status showing if the equipment is operational, non-operational, damaged or missing. Impact Quantitative assessment of the magnitude of loss or gain. If the identified risk were to occur, what is the impact it would have on the team’s ability to produce or maintain the deliverable? Scale rating: 1-3 low, 4 - 7 medium, 8 - 10 high.
Incident Any adverse event whereby some aspect of computer security could be threatened. Adverse events may include loss of data confidentiality, disruption of data or system integrity, disruption or denial of availability, loss of accountability, or damage to any part of the system.
Page 26
Term Description Kitting Bundling different multiple parts together under a unique ID.
Order Status Allows CNSD to manage Service Orders while knowing where the work required to completion stands in the cycle.
Order Type A description of types of work performed on equipment assets and displayed on a Service Order. Part Asset Part Assets are spare part inventory items installed on equipment assets. Part Assets may be bundled in a Kit and will be stored at multiple site locations. Probability The likelihood of an occurrence.
Risk The cumulative effect on the consequences of uncertain occurrences that may positively or negatively affect project objectives.
SaaS Software as a Service
Service Order A work order for providing service on equipment assets. Also listed as a report. Site A government agency location containing IT security equipment assets.
Site Location Area Represents a location and area within a Site. Allows CNSD to describe the location of equipment assets in very large sites on IT equipment locations.
TERO Tribal Employment Rights Office - Cherokee Nation – protects employment rights through monitoring and enforcing tribal TERO.
Warranty Information about an equipment asset’s warranty, or not, and maintained within the EAM. Zone A geographical area defined by the customer, which each zone containing many Sites. A.K.A. Region.
Page 27
6.0 Business Relationship/Non-Disclosure
Page 28
BUSINESS RELATIONSHIP AFFIDAVIT
STATE OF ) ) ss. COUNTY OF )
______, of lawful age, being first duly sworn, on oath states that the nature of any partnership, joint venture, or other business relationship presently in effect or which existed within one (1) year prior to the date of this statement with CNB or other party to the services provided under the Agreement is as follows: ______
Affiant further states that any such business relationship presently in effect or which existed within one (1) year prior to the date of this statement between any officer or director of Consultant and any officer, director, manager or member of the Board of Directors of CNB or other party to the project is as follows: ______
Affiant further states that the names of all persons having any such business relationships and the positions they hold with their respective companies or firms are as follows: ______
Affiant further states that any family/relative relationships present between any officer, director or agent of Consultant and any officer, director, manager or member of the Board of Directors of CNB other party to the Agreement is as follows: ______
Affiant further states that the names of all persons having any such family/relative relationships and the positions they hold with their respective companies or firms are as follows: ______
(If none of the business relationships hereinabove mentioned exist, affiant should so state.)
______
Subscribed and sworn to before me this ______day of ______20__.
______Notary Public
My Commission Expires: ______
Page 29
NON-COLLUSION AFFIDAVIT
STATE OF ) ) ss. COUNTY OF )
, of lawful age, being first duly sworn, on oath says that (s)he is the agent authorized by the bidder to submit the attached bid. Affiant further states that the bidder has not been a party to any collusion among bidders in restraint of freedom of competition by agreement to bid at a fixed price or to refrain from bidding; or with any Cherokee Nation Security & Defense, L.L.C. employee as to quantity, quality or price in the prospective Contract, or any other terms of said prospective Contract; or in any discussions between bidders and any Cherokee Nation Security & Defense, L.L.C. official concerning exchange of money or other thing of value for special consideration in the letting of a Contract.
Signed: ______
TITLE: ______
Subscribed and sworn to before me this ______day of ______, 20__.
______Notary Public
Page 30
AGREEMENT #
NON-DISCLOSURE AGREEMENT
Cherokee Nation Security & Defense, L.L.C., with offices at 777 W. Cherokee St., Catoosa, OK 74015 (“CNSD”) and ______with offices at ______(“Company”), in consideration of the mutual covenants of this Non-disclosure Agreement (“Agreement”), hereby agrees as follows:
1. In connection with discussions and/or negotiations between the parties regarding potential business transactions and relationships ("Subject Matter"), each party to this Agreement may wish to disclose its proprietary or trade secret information ("Information") to the other party on a confidential basis. The disclosing party may consider such Information proprietary under this Agreement either because it has developed the Information internally, or because it has received the Information subject to a continuing obligation to maintain the confidentiality of the Information, or because of other reasons. The disclosing party may consider such Information as a trade secret because such Information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertained by proper means by, other persons who can obtain economic value from its disclosure or use.
2. When Information deemed to be proprietary or trade secret is furnished in a tangible form, including electronic mail, the disclosing party shall clearly mark the Information in a manner to indicate that it is considered proprietary, confidential, trade secret or otherwise subject to limited distribution as provided herein. When Information deemed to be proprietary is provided orally, including information conveyed to an answering machine, voice mail box or similar medium, the disclosing party shall, at the time of disclosure, clearly identify the Information as being proprietary or confidential or otherwise subject to limited distribution as provided herein. If the disclosing party fails to identify Information as confidential, such disclosing party may correct the omission by later notice consisting of a writing or statement, and the recipient shall only be liable for unauthorized disclosures of such Information made subsequent to said notice. In addition, the existence and terms of this Agreement, and the fact and substance of discussions and correspondence between the parties concerning goods or services, shall be deemed proprietary Information.
3. With respect to Information disclosed under this Agreement, the party receiving Information shall: a. hold the Information in confidence, exercising a degree of care not less than the care used by receiving party to protect its own proprietary or confidential information that it does not wish to disclose; b. restrict disclosure of the Information solely to those directors, officers, employees, affiliates, and/or agents/consultants, including either party’s ability to disclose to commercial lenders, and the Chief and Tribal Council of the Cherokee Nation, with a need to know and not disclose it to any other person; c. advise those persons to whom the Information was disclosed of their obligations with respect to the Information; and, d. use the Information only in connection with continuing discussions by the parties concerning the Subject Matter, except as may otherwise be mutually agreed upon in writing; and e. except for the purposes of evaluating the Subject Matter, not copy or distribute such Information or knowingly allow anyone else to copy or distribute such Information, and any and all copies shall
Page 31
bear the same notices or legends, if any, as the originals.
4. The Information shall be deemed the property of the disclosing party and, upon request, the other party will return all Information received in tangible form (and marked proprietary or confidential) to the disclosing party or will destroy or erase if such Information is recorded on an erasable storage medium, all such Information at the disclosing party's direction, and certify to the disclosing party the Information has been destroyed or erased. If either party loses or makes an unauthorized disclosure of the other party's Information, it shall notify such other party immediately and use reasonable efforts to retrieve the lost or wrongfully disclosed Information.
5. In the event a party or its affiliate(s) makes an unauthorized disclosure, such party shall indemnify the aggrieved party, including the aggrieved party’s officers, directors, managers, agents and/or employees for any loss proximately arising from such disclosure.
6. The party to whom Information is disclosed shall have no obligation to preserve the proprietary nature of any Information which: a. was previously known to such party free of any obligation to keep it confidential; b. is or becomes publicly available by other than unauthorized disclosure; c. is developed by or on behalf of such party independent of any Information furnished under this Agreement; d. is received from a third party whose disclosure does not violate any confidentiality obligation; or e. is disclosed pursuant to the requirement or request of a duly empowered governmental agency or court of competent jurisdiction to the extent such disclosure is required by a valid law, regulation or court order, and sufficient notice is given by the recipient to the disclosing party of any such requirement or request to permit the disclosing party to seek an appropriate protective order or exemption from such requirement or request, unless such notice is prohibited by said order.
7. Neither this Agreement, nor the disclosure of Information under this Agreement, nor the ongoing discussions and correspondence between the parties, shall constitute or imply a commitment or binding obligation between the parties or their respective affiliated companies, if any, regarding the Subject Matter. If, in the future, the parties elect to enter into a binding commitment regarding the Subject Matter, such commitment will be explicitly stated in a separate written agreement executed by both parties, and the parties hereby affirm that they do not intend their discussions, correspondence, and other activities to be construed as forming a contract regarding the Subject Matter or any other transaction between them without execution of such separate written agreement.
8. This Agreement may not be assigned by either party without the prior written consent of the other party, except that no consent is necessary for either party to assign this Agreement to a corporation succeeding to substantially all the assets or business of such party whether by merger, consolidation, acquisition or otherwise. This Agreement shall benefit and be binding upon the parties hereto and their respective successors and permitted assigns.
9. The parties acknowledge that they have had an adequate opportunity to review this Agreement and to consult legal counsel knowledgeable in Federal Indian Law and Cherokee Nation Law regarding the
Page 32
legal effect of this Agreement. This Agreement and any disputes arising out of, or relating to, this Agreement shall be governed by the laws of the Cherokee Nation of Oklahoma.
10. This Agreement shall become effective as of the date set forth below (“Effective Date”). Disclosure of Information between the parties under this Agreement may take place for a period (the “Information Disclosure Period”) of two (2) years after the Effective Date. The obligations of the parties contained in Paragraphs 3 and 4 shall survive and continue beyond the expiration of the Information Disclosure Period indefinitely with regard to Information designated as a trade secret by disclosing party and for a period of three (3) years with regard to all other Information.
11. The parties acknowledge that in the event of an unauthorized disclosure, the damages incurred by a non-disclosing party may be difficult if not impossible to ascertain, and that such non-disclosing party may seek injunctive relief as well as monetary damages against a party that breaches this Agreement.
12. This Agreement constitutes the entire understanding between the parties with respect to the Subject Matter provided hereunder and supersedes all proposals and prior agreements (oral or written) between the parties relating to the confidential nature of the Information provided hereunder. No amendment or modification of this Agreement shall be valid or binding on the parties unless made in writing and executed on behalf of each party by its duly authorized representative.
13. Neither party: a. is responsible or liable for any business decisions made or inferences drawn by the other party in reliance on this Agreement or in reliance on actions taken or disclosures made pursuant to this Agreement; b. shall be liable to or through the other hereunder for amounts representing loss of profits, loss of business, or special, indirect, consequential, or punitive damages.
14. NOTWITHSTANDING ANYTHING IN THIS AGREEMENT TO THE CONTRARY, NEITHER DISCLOSING PARTY MAKES ANY REPRESENTATIONS OR WARRANTIES OF ANY NATURE WHATSOEVER WITH RESPECT TO ANY INFORMATION DISCLOSED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR AGAINST INFRINGEMENT.
15. The parties acknowledge that this Agreement does not restrict the ability of the parties to engage in their respective businesses, nor does it limit either party's use or application of any information or knowledge acquired independently of the other without a breach of this Agreement in the course of such party's business.
16. The recipient represents and warrants that no technical data furnished to it by the disclosing party will be exported from the United States, including but not limited to disclosing technical data to a foreign firm, foreign government or foreign national who is not lawfully admitted to the United States as a permanent resident, without first complying with all requirements of the International Traffic in Arms Regulations and the Export Administration Act, including the requirement for obtaining any export license or other approval, if applicable. The recipient shall first obtain the written consent of the disclosing party prior to submitting any request for authority to export any such technical data.
Page 33
17. This Agreement may be executed in one or more counterparts each of which shall be deemed an original, but all of which together shall constitute one and the same agreement. Facsimile signatures to this Agreement shall be deemed to be binding upon the parties.
Each party represents that it has caused this Agreement to be executed on its behalf as of the date written below by a representative empowered to bind that party with respect to the undertakings and obligations contained herein.
Executed and effective this ______day of ______2014.
COMPANY: ______CHEROKEE NATION SECURITY & DEFENSE, L.L.C.
(SIGNATURE) (SIGNATURE)
Russell Claybrook (PRINT NAME) (PRINT NAME)
President (TITLE) (TITLE)
Page 34
Federal FAR/IRSAP Flow-down Provisions
The Federal Acquisition Regulation (FAR) and Internal Revenue Service Acquisition Procedures (IRSAP) clauses, unless the context of the clause requires otherwise, referenced herein are incorporated by reference with the same force and effect as if provided in full text. The intent for referenced clauses is to apply to Seller the necessary requirements of Buyer’s obligations and Prime Agreement with the U.S. Federal Government reflecting Seller’s position as subcontractor to Buyer. Full Text for each FAR clause is available for review at: http://farsite.hill.af.mil/VFFARA.HTM. Specific FAR’s / IRSAP’s are made applicable based on the types of material, services, and/or subcontract purchases involved. Applicable to the clauses incorporated by reference below: 1. Substitute “CNSD” for “Government” or “United States” throughout the clauses where appropriate. 2. Substitute “CNSD Procurement Representative” for “Contracting Officer”, “Administrative Contracting Officer”, and “ACO” in the clauses. 3. Communication/notification required under these clauses from/to the Contractor to/from the Contracting Officer shall be through CNSD.
Regulatory Cite Title Date 52-203-6 RESTRICTIONS ON SUBCONTRACTOR SALES TO THE GOVERNMENT SEPT/200 6 52-203-13 CONTRACTOR CODE OF BUSINESS ETHICS AND CONDUCT APR/2010 52.207-3 RIGHT OF FIRST REFUSAL OF EMPLOYMENT MAY/2006 52.209-9 UPDATES OF PUBLICLYAVAILABLE INFORMATION REGARDING RESPONSIBILITY MATTERS FEB/2012 52.211-5 MATERIAL REQUIREMENTS AUG/2000 52.215-5 CONTRACT TERMS AND CONDITIONS REQUIRED TO IMPLEMENT STATUTES OR EXECUTIVE ORDERS – COMMERCIAL JAN/2013 ITEMS 52.219-8 UTILIZATION OF SMALL BUSINESS CONCERNS DEC/2010 52.222-3 CONVICT LABOR JUN/2003 52.222-17 NONDISPLACEMENT OF QUALIFIED WORKERS JAN/2013 52.222-19 CHILD LABOR—COOPERATION WITH AUTHORITIES AND REMEDIES MAR/2012 52.222-21 PROHIBITION OF SEGREGATED FACILITIES FEB/1999 52.222-26 EQUAL OPPORTUNITY MAR/2007 52.222-35 EQUAL OPPORTUNITY FOR VETERANS SEP/2010 52.222-36 AFFIRMATIVE ACTION FOR WORKERS WITH DISABILITIES OCT/2010 52.222-37 EMPLOYMENT REPORTS ON VETERANS SEP/2010 52.222-40 NOTIFICATION OF EMPLOYEE RIGHTS UNDER THE NATIONAL LABOR RELATIONS ACT DEC/2010 52.222-41 SERVICE CONTRACT ACT OF 1965 NOV/2007 52.222-43 FAIR LABOR STANDARDS ACT AND SERVICE CONTRACT ACT – PRICE ADJUSTMENT (MULTIPLE YEAR AND OPTION SEP/2009 CONTRACTS) 52.222-50 COMBATING TRAFFICKING IN PERSONS FEB/2009 52.222-54 EMPLOYMENT ELIGIBILITY VERIFICATION JUL/2012 52.225-13 RESTRICTIONS ON CERTAIN FOREIGN PURCHASES JUN/2008 52.245-1 GOVERNMENT PROPERTY APR/2012 52.247-64 PREFERENCE FOR PRIVATELY-OWNED U.S. FLAG COMMERCIAL VESSELS FEB/2006 1052.203-9000 NEWS RELEASES AND ADVERTISEMENTS JUN/2005 1052.204-9001 INDENTIFICATION/BADGING REQUIREMENTS MAR/1998 1052.204-9002 PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL OCT/2005 1052.204-9005 SUBMISSION OF SECURITY FORMS AND RELATED MATERIALS AUG/2010 1052.239-9008 SECTION 508 INFORMATION, DOCUMENTATION AND SUPPORT SEP/2006 1052.239-9010 SECTION 508 SERVICES SEP/2006
Page 35
APPLICABLE GOVERNMENT AND SECURITY REGULATIONS
Internal Revenue Service Acquisition Procedure (IRSAP) v. 2
Revenue Manual (IRM) 10.2.1, Physical Security, The Physical Security Program, dated September 18, 2008
Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, P.L. 107-347
OMB Circular No. A-130, Security of Federal Automated Information Resources Appendix III.
Federal Travel Regulation (FTR) 41 Code of Federal Regulations (CFR), Chapters 300 through 304
The National Electric Code (NEC), BOCA, Underwriters Laboratories (UL), NACMA,
Federal Information Processing Standard 175:
Federal Building Standard for Telecommunication Pathways and Spaces (see Electronic Industries Association (EIA/TIA Standard 568-A and related bulletins).
Federal Information Processing Standard 174-1: Federal Building
Telecommunications Wiring Standard (see also Electronic Industries Association EIA/TIA Standard 569 and related bulletins)
OMB Circular No. A-130, Security of Federal Automated Information Resources Appendix III.
http://www.wiringproducts.com/index1.html?lang=en- us&target=d47.html&gclid=CLm0nZ__kpcCFSCysgodfBS8Tg
GSA/PBS Operations and Maintenance Standards and Technical Exhibit
Federal Information Security Management Act (FISMA)
OMB Circular policy M-06-16, Protection of Sensitive Agency Information
NIST Special Publication 800-53 Security Controls
OMB Circular Policy M-06-15, Safeguarding Personally Identifiable Information (PII),
Policy M-06-19 Reporting Incidents Involving Personally Identifiable Information.
INTERNAL REVENUE MANUAL (IRM) 10.8.1
Federal Information Security Management Act (FISMA),
Page 36
E-Government Act of 2002,
The Privacy Act of 1974
OMB Circular A-130, Management of Federal Information Resources.
OMB Policy M-06-16.
National Institute of Standards and Technology (NIST). NIST Special Publication 800-53, Recommended Security Controls for Federal Information / NIST 800-53A and Revision 1,
FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.
NIST special publication 800 Series
Federal Information Processing Standards (FIPS) for computer security.
Information Technology (IT) Security standards and policies.
IRM Handbook 1.23.2, Section 2
General Security Questionnaire For System Applications 1. What is used to store end user account information? a. MS SQL database? i. Is Password Rotation Supported? ii. Is Password Complexity Supported? iii. Are previously used passwords stored so they cannot be reused? iv. What method is applied to the passwords before storing? E.g. Encoding, Hashing, Encryption?
1. If Encoding
a. What is the need to have the password reversed?
b. What is the timeline to have it changed to Hashing?
2. If Hashing
a. Is a salt used?
b. What algorithm is used?
3. If Encryption
a. What encryption is used?
Page 37
b. What key strength?
c. What is the need to have the password reversed?
d. What is the timeline to have it changed to Hashing?
4. Other method not listed? Explain:
b. Active Directory? i. Can Active Directory Groups be used to limit access to who can run the application? ii. Can Active Directory Groups be used to limit access to certain applications functions 1. Example, one user can make entries, but it takes another level of authorization from a manger to change entries. iii. If no on Active Directory, will the vendor modify the application to use Active Directory? c. Cloud? i. If cloud storage, where is the data geographically located? ii. Are any subcontractors located outside the US? iii. Are any employee’s or subcontractor employees not US citizens? d. If not MS SQL or AD or Cloud, what is used for user account storage? i. If cloud storage, where is the data geographically located? ii. Are any subcontractors located outside the US? iii. Are any employee’s or subcontractor employees not US citizens?
2. Does the application use a backend Database for storing data? a. What database system is used? MS SQL, Oracle, Cloud, etc. i. What version? 1. If not the latest version, what is the timeline on getting to the latest version? b. Is any confidential (PCI, PII, HIPPA, other) data stored in the database? i. Is encryption used to protect confidential data? ii. Is any of the data regulated by any compliance or authority? c. Is any Database archiving done? i. If yes. 1. What is the security applied to the Archive? 2. Is any encrypted data decrypted for the archive? 3. Is the archive stored in a location that is hardened as much as the live database?
3. How is an audit trail generated for activity? a. Where is the audit trail stored? i. MS SQL? ii. Offsite at the vendor (cloud)? iii. Local log files on the client? iv. Archived PDF Documents?
Page 38
b. How long is the audit trail stored? c. Is any confidential information stored in the audit trail? d. Is any encryption used on the audit trail storage? e. Does the audit trail contain i. Date/time of alteration. ii. User that performed alteration. iii. Parameter altered iv. Value prior to alteration v. Value after alteration f. How do we view the audit trail?
4. Does the application need Internet Connectivity? a. If yes, is the communication over SSL? b. If yes, what data is being pulled/sent to the Internet?
5. After installation, does any part of subsystem of the application require Windows Local Administrator Rights to run? a. If yes, is the vendor willing to correct this flaw?
6. How does the client application talk to the server backend? E.g. Direct connection to a database, through web/app service, etc.
a. If direct connection to DB, Does the client use Ad Hoc or Stored Procedures?
i. If Ad Hoc at all, can application run on just stored procedures?
b. If direct connection to DB, what authentication method? E.g. DB/Local User or Windows Integrated.
i. If DB/Local User, how are credentials stored on client?
1. Are they encrypted?
ii. If DB/Local User, what connection client is used? ODBC, SQL Native, etc.
7. Is any encryption used in communications between machines in the system? E.g. Between client and server, between application server and database server.
a. If no, can it be implemented?
b. If yes, which communication channels and what level of encryption and algorithm are used? E.g. Client to Server- AES256, Client to Web Server - SSLv3 2048
Page 39
8. Does any part of the backend system require a console application to be left running in the background on the “server” at all times?
a. What is the timeline to correct this defect?
9. Do the client workstations run in kiosk mode (1 generic user logged into machine, many users log into application) or can the application run under the logged in user with any valid user logging into the machine?
a. If yes to kiosk mode, can the application be changed to allow running under any logged in user?
10. Is alerting supported on “odd” behavior? E.g. anything that falls outside of a configurable threshold on the system or unusual activity that goes outside of a normal process.
a. What kind of alerting or mitigating measures can be used in the event of such behavior or threshold breach?
11. Is any form of file share required (on client or server) for the application to operate?
a. If yes, what levels of permissions are required and who will need them?
12. If using a Database, are the DB vendors (Microsoft/Oracle/etc) Best Practices for securing the database server followed? In other words, if a server was set up with Best Practice guidelines, does any of it need to be “loosened” in order for the application to work?
13. Are the Client/Server Operating System (OS) vendors Best Practices for securing the OS in its particular role followed?
14. Is regular patching of the Client and Server OS with the latest vendor patches and service packs supported?
15. Is regular patching of the Database Server with the latest vendor’s patches and service packs supported?
16. Does the application meet all required regulatory compliances? E.g. TICS, PCI, HIPPA, ITAR, etc.?
Page 40
Page 41