PLEASE NOTE: THIS SOURCES SOUGHT NOTICE IS A DUPLICATE OF SOURCES SOUGHT NOTICE NUMBER CMS-2008-FISMA-SOURCESOUGHT. THE REASON FOR THIS DUPLICATION IS TO CHANGE THE NAICS CODE FROM 541990 TO 541519.
IN ADDITION, PLEASE SUBMIT QUESTIONS AND RESPONSES TO THE SOURCES SOUGHT NOTICE BY E-MAIL TO THE INDIVIDUALS LISTED AS THE POINT OF CONTACT.
THE RESPONSE DATE HAS BEEN EXTENDED BY CLOSE OF BUSINESS, ON MARCH 20, 2008.
This is a SOURCES SOUGHT NOTICE (SS) NOTICE to determine the availability of potential small businesses (e.g., 8(a), service-disabled veteran owned small business, HUBZone small business, small disadvantaged business veteran-owned small business, and women-owned small business) that can provide an IT Security Audit of an organization/facility that will determine if that organization is in compliance with the Federal Information Security Management Act (FISMA). The Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, outlines requirements to secure Federal information. Each Federal Agency, including contractors or other organizations who work with the agency, must develop, document, and implement an agency-wide information security program. The National Institute for Standards and Technology (NIST) provides detailed guidance and recommendations for FISMA compliance. The National Institute for Standards and Technology guidelines encompass all aspects of information security.
Sources Sought are also required to have technical and professional understanding of requires listed in this sources sought.
In addition, to submitting a response to the Sources Sought, businesses can voluntarily? Register as Interested Vendor? On the Federal Business Opportunities website in order to promote teaming and/or prime and subcontractor relationships.
History:
The Standard Data Processing System (SDPS) consists of many data and reporting requirements that have been designed and developed in response to the ongoing ADP requirements of the various QIOs and other affiliated partners, such as the Clinical Data Abstraction Center (CDAC) to fulfill its contractual requirements with CMS. This system, which became operational is May 1997, interfaces with CMS Central Office, 53 QIOs and CDAC. Through the SDPS, the QIOs have a database of current Part A claims data, ad-hoc capability to access Part B data, access to national data sets, software tools for data analysis, report generation tools, and project information.
The Quality Improvement Organizations (QIOs) are critical elements of the SDPS project within QualityNet. The SDPS is administrated by CMS, and is designed to monitor and improve utilization and quality of care for Medicare beneficiaries. The QIO network infrastructure is comprised of a national network of fifty-three (53) QIOs responsible for each U.S. state, territory, and the District of Columbia. Each QIO maintains a staff of mutli-disciplinary experts in medicine, quality improvement, health information management, IT Systems Security, Statistical analysis, computer programming and operations, communications, public relations, and clerical/administrative support. The QIO network structures are configured identically with Government Furnished Equipment (GFE) and are managed and supported by CMS IT support contractors.
Historically, the QIO organizations were exempt from meeting the FISMA standards. But, with the increasing threat to Identity Theft and the OMB mandates to strengthen the security posture of the Federal Information Systems that contain sensitive Personally Identifiable Information (PII), CMS can no longer accept the risk. The QIO organizations must now move towards FISMA compliance.
The goal is to quantify and document the existing security posture of the QIO organizations from a FISMA compliance standpoint.
________________________________________________________________
The information from this market research will help CMS plan their acquisition strategy. Please be sure to indicate if you have a GSA schedule contract, a contract on GSA 8(a) STARS, or a contract on GSA VETS GWAC.
THIS IS STRICTLY MARKET RESEARCH. THE CENTERS FOR MEDICARE & MEDICAID SERVICES (CMS) DOES NOT INTEND TO ISSUE A REQUEST FOR PROPOSAL. CMS WILL NOT ENTERTAIN QUESTIONS REGARDING THIS MARKET RESEARCH.
BACKGROUND
________________________________________________________________
Federal Information Security Management Act (FISMA):
http://www.whitehouse.gov/omb/memoranda/m03-19.pdf
The ability to provide an IT Security Audit of an organization/facility that will determine if that organization is in compliance with the Federal Information Security Management Act (FISMA). The Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, outlines requirements to secure Federal information. Each Federal Agency, including contractors or other organizations who work with the agency, must develop, document, and implement an agency-wide information security program. The National Institute for Standards and Technology (NIST) provides detailed guidance and recommendations for FISMA compliance. NIST guidelines encompass all aspects of information security.
FISMA sections 3544 and 3505 require the following:
Compliance for every IT system? Required identification of all systems in use and that access federal information, and validation of their compliance. To help aid agencies in obtaining this, the National Institute of Standards and Technology (NIST) has released a series of guidelines, checklists, and templates that detail acceptable configurations for systems.
Risk Assessment: The agency must have an agency-wide information security program that includes controls and checks to ensure effectiveness, including reporting on existing risks and responses.
Incident response: The NIST Controls document outlines specific steps to follow and functions to perform depending on the level of threat posed by the environment.
Intrusion detection: Requires reporting on cyber security, risks and responses.
Boundary protection: Systems and applications should be protected from unauthorized access, both from outside the agency and its contractors, and from within.
Compliance Reporting: Requires detailed reporting on FISMA compliance status.
National Institute of Standards and Technology (NIST) - Federal Information Processing Standards (FIPS) and Special Publication (SP) Series (800 Series):
http://www.nist.gov/
http://www.itl.nist.gov/fipspubs/by-num.htm
http://csrc.nist.gov/publications/PubsSPs.html
NIST has issued FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems in March 2006 that mandates NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems as a federal requirement. The CMS Information System (IS) Acceptable Risks and Safeguards (ARS) document - http://www.cms.hhs.gov/InformationSecurity/14_Standards.asp#TopOfPage, was developed in response to FIPS 200 and is the companion document to the NIST SP 800-53, establishes the minimum set of security controls a federal information system must meet from the approved set of CMS security controls identified for each security level.
FISMA Security Audits:
The FISMA annual security audit requirement of Federal Information Systems as prescribed in NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems, require that:
Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually.
The security audit of an organization that supports a Federal Information System will need to follow the NIST Special Publication 800-53 a DRAFT Guide for Assessing the Security Controls in Federal Information Systems (http://csrc.nist.gov/publications/PubsSPs.html) and FEDERAL INFORMATION
SYSTEM CONTROLS AUDIT MANUAL (FISCAM) - (www.gao.gov/special.pubs/ai12.19.6.pdf) as the baseline to establish the security audit criteria that the organization will be evaluated against.
The business will be required to provide for:
o Development of FISMA baseline audit criteria and documentation;
o Training of Auditors;
o Perform QIO security audit site visits;
o Capability of visiting each of the 53 QIO facilities, 2 times over a 3 year period;
o Documentation of findings/weaknesses;
o Document FISMA compliance level and risk(s) at each QIO facility;
o Report detail findings to CMS via the CMS Contractor Integrated Security Suite (CISS) tool? see http://www.cms.hhs.gov/InformationSecurity/70_Guidelines_Tools.asp#TopOfPage;
o Track activity of findings from initial site visit to follow-up site visit;
o Manage the milestone status of the findings and maintenance of the documented report findings via the CMS Contractor Integrated Security Suite (CISS) tool;
o Provide an update of status of the Corrective Action Plans (CAPS) Monthly updates;
o Input updated information into the CMS Contractor Integrated Security Suite (CISS) tool Monthly updates;
o Produce the monthly Project of Action & Milestones (POA&M) update from the CISS tool for submission to CMS Office of Information Services (OIS);
o Produce a FINAL report detailing the estimated cost and actual weaknesses identified for each QIO, including a grand total for the entire report, for the weaknesses that could not be addressed under the current 9th SOW QIO contract.
CMS References:
CMS - http://www.cms.hhs.gov/
CMS Information Security Program - http://www.cms.hhs.gov/InformationSecurity/01_Overview.asp#TopOfPage
QIO Program - http://www.cms.hhs.gov/QualityImprovementOrgs/01_Overview.asp#TopOfPage
________________________________________________________________
Responses should include, at a minimum, the information identified in each of the following questions:
Business Information
a. Company Name
b. Company Address
c. D&B DUNS Number
d. Current GSA contract(s) and/or schedule(s) that you possess which are appropriate to this Sources Sought. Specifically:
e. Does your organization have a Government approved accounting system? If so, please identify the agency that approved the system.
f. Type of Company (i.e., small business, 8(a), woman owned, veteran owned, etc.) as validated via the Central Contractor Registration (CCR). Note: All offerors who wish to be awarded a Government contract must register on the CCR located at http://www.ccr.gov/index.asp.
g. Company Point of Contact - Name, Phone and Email address
h. Point of Contact, Phone and Email address of individuals who can corroborate the demonstrated capabilities identified in the responses.
Response Information:
In order to respond to this notice, contractors must be able to indicate experience and/or the ability to provide all of the numbered points below. Give enough detail so your response clearly indicates that you can provide the following:
1. Knowledge and experience with FISMA security compliance audits.
2. Knowledge and experience with NIST FIPS and Special Publications.
3. Knowledge and experience with GAO FISCAM audit procedures.
4. Knowledge and experience with technical documentation.
5. Knowledge and experience with mobile audit teams.
6. Knowledge and experience with managing a large security oversight program.
Teaming Arrangements: All teaming arrangements should also include the above-cited information and certification for each entity on the proposed team. Teaming arrangements are encouraged.
Responses must be submitted not later than March 20, 2008. Capability statements will not be returned. The maximum number of pages for submission is 12 pages.
The Sources Sought Notice is for information and planning purposes only and is not to be construed as a commitment by the Government. This is not a solicitation announcement for proposals and no contract will be awarded from this Notice. No reimbursement will be made for any costs associated with providing information in response to this Notice. Respondents will not be notified of the results of this evaluation. Capability statements will not be returned.
Other Information:
1. Proprietary Information and Disclaimers: All transmitted information marked proprietary shall be treated as such. Therefore, respondents should identify any proprietary information in its Sources Sought response. Information submitted in response to this Sources Sought will be used at the discretion of the Government. Propriety materials will neither be distributed, not discussed with, any other organization or business. Further, the information submitted will remain confidential insofar as permitted by law, including the Freedom of Information and Privacy Acts. CMS reserves the right to utilize any non-proprietary technical information in the anticipated SOW or solicitation.
Respondents should be aware that this Sources Sought is for marketing purposes only and any responses submitted do not constitute a commitment by CMS to treat any offeror more or less favorably in the anticipated forthcoming solicitation and/or ultimate award.
Responses to this Sources Sought are not offers and cannot be accepted by CMS to form a binding contract. CMS does no intend to award a contract on the basis of this Sources Sought, or to otherwise pay for the information solicited.
2. Sources Sought Response Feedback: CMS will not respond directly to organizations submitting information in response to this Sources Sought. The information received will be used solely to make informed decisions regarding a potential procurement and to address Draft SOW issues.
Bid Protests Not Available
G