|
| ||||||
|
|
|
|
|
|
|
|
11.0 SECURITY FUNCTIONS.The objective of the security operations functions is to provide comprehensive program support in all phases of design, implementation and maintenance of physical and ADP security policies, plans and systems. The contractor may be tasked to provide: 11.1.PROGRAM AND PHYSICAL SECURITY FUNCTIONS. Program management support, systems engineering, integrated logistics support, quality assurance, configuration management, training, materials and support to security operations. 11.1.1. Evaluate, test, deliver, install, and maintain safety and security systems, including individual tokens for public/private key infrastructure and other applications, as appropriate; 11.1.2. Develop full cycle policy and contingency plans to ensure the protection of sensitive FAA and National data. 11.1.3. Provide physical security functions to ensure the safety of personnel, systems, data, and infrastructure. 11.2. INFORMATION SYSTEMS SECURITY FUNCTIONS. The objective of Information Systems Security functions is to address the security of information and computing resources at all organizational levels. Examples of the type of tasks to be done include, but are not limited to Intrusion detection, vulnerability scanning, incident management, firewall management, and anti-virus management. The contractor may be tasked to provide: 11.2.1. Studies, analysis and recommendations on the design and operational implementation of resources support for information technology systems security. 11.2.2. Support in developing security policies for the organization that is carried into all aspects of the system design or security solution. The policy will identify requirements (e.g., availability, integrity, confidentiality, and accountability) that the system should support; 11.2.3. Support for technical system protection (residual information protection, process separation, etc.,) for mainframe, desktop, and mobile, LAN, WAN automated information security systems; 11.2.4. Disaster recovery, continuity of operations, and contingency planning, including identification of the organization's systems and enclaves that require procedures and mechanisms to curtail or recover from activities that can disrupt or otherwise interfere w/system availability; 11.2.5. Computer security awareness training; computer security incident response; virus and intrusion detection, elimination, and prevention; establish procedures and mechanisms to limit the introduction of malicious code into IT systems; audit and recovery from insecurities; penetration testing and protection consulting; catastrophic protection programs and drills support; INTERNET traffic monitoring, analysis and restriction support; computer security plan preparation; certification of sensitive systems; determine potential threat sources and the probability that a particular threat source will exploit a weakness; quantitative risk analysis of large sensitive systems; security for small systems, telecommunications, and client servers; privacy issues, policies, practices and solutions; INTERNET, intranet, systems and firewalls analysis; asset value analysis, protections analysis and development/vulnerability analysis; and management decision support for security; support operating system security services and distributed system security services; 11.2.6. Support to protect communications to ensure the integrity, availability and confidentiality of the communications; 11.2.7. Technical and computer systems support to develop and implement enhancements to airspace models used in the Air Traffic Airspace Lab; 11.2.8. Technical expertise to implement changes to airspace tools and operating environment, training field personnel on the use of enhancements that are implemented in the airspace tools and for operation of the collaborative airspace analysis network; 11.2.9. Support to computer systems engineering, system requirements, and systems integration operations for Software and Database management, System Enhancement and Integration, airspace Design and Evaluation functions, and Program Management of the airspace tools. The Contractor may be tasked to analyze, recommend and generate solutions for airspace tool enhancements for airspace analysis and tools integration into the collaborative airspace analysis network. 11.2.10. Support to conduct computer system security studies, risk analysis and recommend system security enhancements; 11.2.11. Support to conduct computer system security studies, risk analysis and recommend system security enhancements and Corrective Action Plans. The corrective action plans will be drafted to address security shortfalls uncovered. It will include actions to be taken, responsible organizations and individuals for each action, schedule including key milestones, actions to address root causes and generic applicability, tracking of actions to closure, and steps to verify effectiveness of actions prior to closure. 11.2.12. Telecommunications, system engineering, and network security services. Administration of Telecommunications Information Management and Control System and -System Engineering and Network Security services, including maintenance of client-server systems with web-based access, and network security and support services. 11.2.13. Implement wireless local area network (LAN) access point (AP) to include all of the traditional AP functionality, as well as specialized sensor capability for detecting intrusions, malicious activity, policy violations, and other network anomalies. 11.2.14. Contractor shall comply with Department of Transportation (DOT) Information Security Requirements. 11.2.14.1 The contractor shall be responsible for IT* security for all systems operated by or connected to a DOT network, regardless of location. This includes any IT resources or services in which the contractor has physical or electronic access to DOT's sensitive information that directly supports the mission of DOT (e.g., hosting DOT e-Government sites or other IT operations). If necessary, the Government shall have access to contractor and any subcontractor facilities, systems/networks operated on behalf of DOT, documentation, databases and personnel to carry out a program of IT inspection (to include vulnerability scanning), investigation and audit to safeguard against threats and hazards to DOT data or IT systems. 11.2.14.2 Security Plan: With respect to each task order issued under this contract, within 30 days of task order award, the contractor shall develop and provide to the Government for approval, an IT Security Plan which describes the processes and procedures the contractor will follow in performance of the instant task order to ensure the appropriate security of IT resources developed, processed, or used under the task order. This Plan shall be written and implemented in accordance with applicable Federal laws including: 11.2.14.3 The Computer Security Act of 1987 (40 U.S.C. 1441 et seq.), the Clinger-Cohen Act of 1996, and the Government Information Security Reform Act (GISRA) of 2000 and meet Government IT security requirements including: OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources; National Institute of Standards and Technology (NIST) guidelines; Departmental Information Resource Management Manual (DIRMM) and associated guidelines; and DOT Order 1630.2B, Personnel Security Management. 11.2.14.4 Personnel Security Management. The contractor shall screen their personnel requiring privileged access or limited privileged access to systems operated by the contractor for DOT or interconnected to a DOT network in accordance with DOT Order 1630.2B, Personnel Security Management and ensure contractor employees are trained annually in accordance with OMB Circular A-130, GISRA, and NIST requirements with a specific emphasis on rules of behavior. 11.2.14.5 The contractor shall include the above requirements in any subcontract awarded for IT services. 11.2.14.6 *IT means any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control display, switching, interchange, transmission, or reception of data or information and as further defined in OMB Circular A-130 and the Federal Acquisition Regulation part 2. |
|
 |
|
|
|
|
 |  |
| |
