THIS IS A SOURCES SOUGHT NOTICE ONLY. This is not a request for offers, quotes or proposals. This notice does not represent a commitment by the Government to issue a solicitation or award a contract. This is a market research tool only to determine the capability of potential sources.

The Department of Housing and Urban Development (HUD) is contemplating establishing a contract under NAICS Code(s) 541519 Other Computer Related Services, and the Small Business Standard is $27.5 Million, PSC Code R799 Other Management Support Services, for technical information technology capabilities. Contractors shall identify any schedules on which their products/services are available (GSA Schedules, NASA SEWP, etc).

Teaming arrangements and joint ventures will be considered for any subsequent procurement based on the Government's market research, provided that the prime contract is awarded to an applicable small business and that small businesses provide fifty percent or more of the support.

Please provide your responses and/or feedback to the Robert Coyle at [email protected]. Please refer questions to the same or call (202) 402-1458.

So, what exactly is HUD contemplating acquiring?

1. PII identification assessment of structured data on HUD mainframes and unstructured databases (i.e. SharePoint, SQL, Excel, File Servers, email, Office 365) across the entire HUD enterprise.

2. Threat analysis and exfiltration testing for the following HUD Program offices - Housing, PIH and CPD;

3. Assessment to determine if a loss of electronic and hard copy sensitive data would be detected through HUD system controls, capabilities and tools; identify whether there is currently any indication of sensitive data being compromised on HUD's high priority systems listed in 1; and assess HUD's ability to prevent future loss of sensitive data.

BACKGROUND

This requirement is new. As a part of routine checks, OIG wishes to conduct an assessment of HUD's IT security controls for the HUD IT network environment and systems protecting PII and other sensitive data and to conduct an in-depth assessment of the security PII controls protecting PII and provide recommendations to correct the deficiencies. With recent government agency breaches to their IT systems and overall concern about of the state of cybersecurity within government, such efforts are integral to maintaining the confidence of the public in protecting their information, as well as minimizing the cost and risks of harm in the event of a breach.

GENERAL DESCRIPTION OF WORK
The Contractor shall determine HUD's status of IT security controls in the HUD IT network environment and systems protecting PII and other sensitive data; as well as determine the effectiveness of IT security controls, specifically:

1. PII Identification Assessment.

a. Identify HUD's volume of electronic PII holdings and its vulnerability to unauthorized compromise, removal or alteration.

b. Structured Data (Database PII data) Identification Assessment on IBM and Unisys Mainframe systems and Unstructured Data (SharePoint, SQL, Excel, File Servers, email, Office 365) Identification Assessment

2. Assess whether HUD's IT systems are effectively safeguarding Personally Identifiable Information (PII).

a. Conduct an Environmental Threat Analysis to determine if HUD is already compromised through a "Proactive Adversary Scan"

b. Conduct an in-depth exfiltration testing of high priority systems (i.e. Housing, PIH, CPD)

3. Determine if a loss of electronic sensitive data would be detected through controls, capabilities and tools through the following.

a. Assessing HUD's ability to prevent the loss of sensitive data,

b. Assessing HUD's ability to detect when sensitive data is lost, and

c. Assessing HUD's process for responding to the loss of sensitive data.

Below are the characteristics of the PII assessment requirements:


• Demonstrable knowledge in diverse areas of vulnerability assessments, IT security, Data protection and privacy, identity and access management, continuous monitoring and legacy IT systems. In addition, knowledge in mainframe vulnerability analysis (IBM and Unisys mainframes)

• Previous experience in adversary scanning techniques, identifying PII data is various IT systems and mainframe system knowledge.

• Working knowledge of federal IT regulations and guidance.

• Skills in oral and written communication.

• Organized and deadline driven.

The tasks require a set of skill categories based on the following approximate breakdown:

• Information Technology Security 70%,

• Privacy 20%

• Records Management 10%

CONTEMPLATED REPORT REQUIREMENTS

• Vulnerability assessment report

• Results of exfiltration testing and effectiveness of IT security controls with recommended corrections and improvements

• Report on structured (mainframe systems) and unstructured electronic data (types of data, amount of data by category, location)

CONTEMPLATED MAGNITUDE OF THE PROJECT
Estimated dollar ranged is $250-300,000

CONTEMPLATED PLACE OF PERFORMANCE
Offsite and/or onsite - HUD OIG will provide remote access as necessary.

RESPONSE REQUESTED

Small Businesses are encouraged to respond. Interested parties should identify any schedules or vehicles (i.e. GSA Schedules, Other Multi Agency IDIQS, etc) which they could provide the described services under.

This synopsis is a market research tool being used to determine the availability and capability of potential sources prior to determining the method of acquisition and whether the government will proceed with this acquisition. The Government will not pay for any information solicited. If a contract is ultimately pursued, responses to this synopsis will be used to aid in determining whether the acquisition is set-aside for small business or in establishing small business subcontracting goals. All qualified firms are encouraged to respond.

The capability statement shall address, at a minimum, the following for the past three years:

1. Name and address of company and or companies (if there is a teaming arrangement or joint venture);

2. Technical expertise relevant to the requirement;

3. Technical approach relevant of the requirement (1 to 2 paragraphs);

4. Management approach relevant to the requirement (1 to 2 paragraph);

5. Corporate experience relevant to the requirement (1 to 2 paragraph);

6. Indicate if you are a small business or any other socio-economic categories that apply to your firm under the designated NAICS code;

7. Whether you have had unequal access to any information relevant to the acquisition that could provide an unfair competitive advantage;

8. Relevant past performance. Your capability statement needs to include a list of three customers (Government/non-Government) within the past three (3) years highlighting similar work in nature, scope, complexity, and difficulty and a brief description of the scope of work. Your submission for relevant past performance must include for each customer:

• Contract name;
• Contracting Agency or Department, POC and contact information;
• Yearly contract value (in $);
• Whether your firm was the prime or a subcontractor;
• Period of performance;
• Description of work and how it relates to the requirements.

Interested firms responding to this market survey must provide a capability statement demonstrating their experience, skills and capability to fulfill the Governments requirements for the above. The capability statement shall be in sufficient enough detail, but not exceed 10 pages TOTAL excluding cover pages etc, so that the Government can determine the experience and capability of your firm to provide the requirements above. Please specify one primary and one alternate Point of Contact (POC) within your firm, including telephone numbers and email addresses in case clarifications of your submission are needed.