IT (Cybersecurity) Preparedness and IT Vulnerability Management Support

The US Army Corps of Engineers, Engineer Research and Development Center (ERDC) intends to negotiate on a sole source basis (IAW FAR 13.106-1b) with SecureStrux LLC, 245 East King St., Lancaster, PA 17602-2960, as the only responsible source that can provide all personnel, equipment, supplies, facilities, transportation, tools, materials, supervision, and other items and non-personal services necessary to provide IT (cybersecurity) preparedness and IT vulnerability management support, specifically to address current critical cyber vulnerabilities in preparation for Cybersecurity Readiness Inspection (CCRI). This support includes, but not limited to: HBSS Endpoint Security, ACAS, physical security, and development of all applicable supporting documentation.The SMEs will re-evaluate the security posture using the current CCRI compliance standards and scoring criteria, provide documentation of the findings to the CCRI team lead to include by not limited to a completed DISA CCRI Grading

Criteria Worksheet, JFHQ-DoDIN EndPoint Security OPORD 16-0080 Compliance Worksheet, and Risk Indicator Scoring, and provide continued support to UROC SMEs by assisting with implementation of prior recommendations required for mitigation and remediation efforts.Provide qualified personnel, management, supervision, and quality control necessary for the technology SME to perform assessments within their area of expertise and provide reports to the team lead, in the format specified by the team lead, in MS Word, MS Excel, or Adobe PDF.Provide updates on mitigation and remediation efforts in the format required.Ensure that personnel have the proper and current Information Assurance certification(s) to perform the functions in accordance with DoD 8570.01-M, Information Assurance Workforce Improvement Program. All SMEs must be certified in Information Assurance Technology (IAT) Level III and the appropriate Computing Environment (CE) for their specialty area. In addition, SMEs must possess a current certification by the JFHQ-DODIN in CCRI policies and practices for their subject area. There is no flexibility on the training and certification requirement. The Contractor shall provide documentation supporting the certification and training requirements of all SMEs.All SMEs must hold an appropriate clearance for the network assessed. For SIPRNet, personnel must possess a SECRET or higher clearance level.Technology areas must be evaluated by separate SMEs because multiple USACE personnel, in the categories listed below, who will be the subjects of compliance reviews and demonstrations, are often separate people. Each team make-up will be different based on the areas being assessed on the specific mission and the local site personnel available for the interviews. One person may work on the technologies combined on a single line as follows:1) SME for Network Boundary/Wireless/Ports, Protocols, and Services Service Management (PPSM)2) SME for Internal Network/Video and Voice over Internet Protocol (VVOIP)3) SME for Database/Sharepoint/Operating Systems (OS)/IE/Mobility4) SME for Exchange/Active Directory (AD)5) SME for Web/Sharepoint6) SME for Windows/Web/Domain Name System (DNS)7) SME for Unix/Oracle/Linux8) SME for Traditional Security STIG SME9) SME for ACAS10) SME for Host Based Security System (HBSS)11) SME for CND Directives: Insider Threat Data Transfer Activity (DTA)/Cross Domain Solution (CDS)12) SME for Documentation/Policy ReviewerRevalidate all required assessments, scans, and walk-throughs for all or a portion of the three major CCRI inspection areas, as defined by the scoping document, to include: (1) Technology Areas (2) Computer Network Defense (CND) Directives, (3) Contributing Factors and provide the results to the CRIA/CSAV team lead in the requested format and time frame. Provide technical assistance, guidance, and implementation efforts to local site POCs for actions needed to remediate findings or mitigate associated threats.Perform a thorough and comprehensive preparatory assessment of current information security posture and CCRI inspection requirements IAW all applicable, current DoD STIG checks and provide independent assessment for each technology area's current STIG checks to include Category I, Category II, and Category III checks. Provide results to the CRIA/CSAV team lead; inclusive of a gap analysis, compliance strategy, implementation plan, and recommend courses of action to remediate the non-compliant condition.Requires detailed knowledge of all DOD and Army standards, policies, and guidance as well as Operational Orders (OPORDs), Fragmentary Orders (FRAGOs), Task Orders (TASKORDs), Information Assurance Vulnerability Alerts (IAVMs), issued from JFHQ-DoDIN, US Cyber Command (USCC) and ARCYBER.For the Scanning and remediation technology area, guide the performance of all required vulnerability management scans to include DISA ACAS IAW the CCRI scoring methodology and current ACAS BPG.Perform an assessment of the compliance with the CND directives, [PKI CTO 07-xx, ACAS CND directive], and provide the results to the CRIA/CSAV team lead. Provide guidance and technical assistance on methods to remediate deficiencies.For the HBSS technology area, assess the compliance with OPORD 16-0080 (or current version) by the applicable SME and provide the results to the CRIA/CSAV team lead. Provide SME support to UROC HBSS SME in support of mitigation and remediation of deficiencies.Perform all required walk-throughs of physical security requirements IAW DISA "Traditional Security" checks for traditional and physical security in coordination with the Security Manager, Provost Marshall, and/or G2 at the site; the cyber personnel for IT-related checklist items in the "Traditional Security STIG" and provide the results to the CRIA/CSAV team lead. Provide SME support to UROC Traditional Security SME in support of mitigation and remediation of deficiencies.Perform all required reviews of personnel training, tracking, roles and responsibilities to include but not limited to audits of Duty Appointment Letters (DAL), training records, tracking systems, and certification records for validation and currency. Check the Army Training Certification Tracking System (ATCTS) for completeness and accuracy against "privileged users" lists and provide the results to the CRIA/CSAV team lead. Provide guidance on methods to remediate deficiencies.Perform all required reviews of key documentation and assist with documentation development for gap areas as required by the most recent and applicable versions of "DoDIN Inspections Scoping Workbook" and "JFHQ-DODIN Inspection Coordination Guide" to include but not limited to network diagrams, Authority to Operate (ATO) packages, Connection Approval packages, risk assessments, and Plan of Action & Milestones (POA&Ms), processes, procedures, Standard Operating Procedures (SOPs), and Tactics, Techniques, and Procedures (TTPs). Provide the results to the CRIA/CSAV team lead. Provide guidance on methods to remediate deficiencies.Perform all required reviews of ACE-IT policies, guidance, OPORDs, FRAGOs, Daily Task Orders (DTOs), Standard Operating Procedures (SOPs), and Tactics, Techniques, and Procedures (TTPs) for validation and currency against CCRI requirements and provide the results to the CRIA/CSAV team lead. Provide guidance on methods to remediate deficiencies.Perform all required reviews of the organization's strategies, programs, processes, operations, communications, and culture for compliance and currency against CCRI requirements to include but not limited to cyber security programmatic overview, alignment with a Cyber Security Service Provider (CSSP), incident management, vulnerability management, change management, configuration management, and Continuity of Operations (COOP).Perform all required reviews of the organization's strategies, programs, processes, operations, communications, and culture for compliance and currency against CCRI requirements to include but not limited to cyber security programmatic overview, alignment with a Cyber Security Service Provider (CSSP), incident management, vulnerability management, change management, configuration management, and Continuity of Operations (COOP).SIPRNet findings are classified and must be handled accordingly on SIPRNet. All unclassified "CorpsNet" findings are FOUO and must be encrypted in transport and at rest.This acquisition is being conducted under simplified acquisition procedures. There are no set-aside restrictions for this requirement. The intended procurement will be classified under North American Industry Classification System (NAICS) 541519 with a Small Business Size Standard of $30,000,000.00. This notice of intent is not a request for competitive proposals and no solicitation document exists for this requirement. Parties interested in responding to this notice shall submit capability statements and references. All capability statements received by the closing date of this publication of this synopsis will be considered by the Government. A determination by the Government not to compete based on responses to this notice is solely within the discretion of the Government. Information received will normally be considered solely for the purpose of determining whether to conduct a competitive procurement.Capability statements shall be submitted only by e-mail as a Microsoft Office Word, Microsoft Office Excel, or Adobe PDF attachment to traci.k.hoofman@usace.army.mil. Statements are due by 1400 (2:00pm) Central Standard Time 30 October 2019. No phone calls will be accepted.