Presenter: Braulio J. CabralCBIIT Enterprise Security Coordinator

Pre-proposal Briefing

NCI Enterprise Security Program

• Purpose

• Background

• Program Related Activities

• Program Management Model/Framework

• Qualifications

• RFP Information

• Q&A

Content

Purpose

The purpose of this RFP is to solicit competitive proposals to establish a contract for the support of the NCI-CBIIT Enterprise Security Program including the following areas:

• Security Policy

• Security Engineering and Operations

• Outreach and awareness

Background

• The National Cancer Institute (NCI) has established the Center for Biomedical Informatics and Information Technology (CBIIT) to provide bioinformatics support and integration of its diverse research initiatives to the cancer research community. NCI CBIIT does this, in part, by providing consistent models and comprehensive data in an accessible format to leverage the breadth of information gathered by the basic and clinical research communities.

• A very important aspect of the NCI CBIIT program is the assurance of a trust-business model where stakeholders can participate in scientific research and use the technology we provide to advance their work, with confidence that the proper safeguards are in place to ensure confidentiality, availability and integrity of the information and data processed, stored, and exchanged.

• To accomplish this trust-business model, NCI CBIIT established an Enterprise-wide Security Program. It is the responsibility of this program to provide the necessary means to protect NCI CBIIT stakeholder’s assets while facilitating ease of access to data and services for authorized individuals. The NCI CBIIT ESP implements federal policies, procedures and guidelines for the NCI CBIIT and its hosted systems and provides guidance concerning security requirements to developers of caBIG® applications and services. See ESP ConOps for more information at: https://wiki.nci.nih.gov/download/attachments/24276546/NCI+Enterprise+Security+Concept+of+Operations-01-14-2010v11_dist.pdf?version=1

Program Vision

Scope

• The scope of the security program is to advice, and assist, and coordinate the execution of security related-activities across the NCI-CBIIT enterprise leading to the goal of protecting confidentiality, integrity and availability for NCI-hosted systems and data, as well as the protection of NCI’s intellectual property and reputation pertaining to matters of security.

• Activities within the scope of the program include but are not limited to interpretation, and implementation of security policies, guidelines, and standards; assisting in making operational the processes and procedures necessary to implement policies; and promoting security awareness for stakeholders.

• The enterprise includes systems hosted by NCI and its contractors, such as caGrid core infrastructure and services, and NCI physical information infrastructure (LAN, servers, data storage, etc.).

Program Related Activities

Security Policy

• Third Party Credential Integration

• NCI Security Policy book review and updates

• CBIIT/caBIG Security policy book review and update

OMB Security Performance Metrics activities (FISMA)

• Current environment security performance metrics analysis

• Strategic planning

• Integration of security within the SDLC

• Security advising to the NCI Enterprise Systems (Architecture) team

Security advising to the NCI Enterprise core infrastructure team.

Program Related Activities

Security Monitoring and Audit Control

• Monitoring and audit planning and execution

• Assist in executing vulnerability plan of action

C&A Program Management, Continuous Monitoring and Compliance Support

• Systems inventory, categorization, C&A package preparation, submission

Security Engineering and Operations Activities

• Identity Management, Access Management, NCI PIV integration

Business Continuity Planning

Security Outreach and Awareness

NCI Enterprise Security Program Management Model

Contextual Security ArchitectureThe contextual architecture defines security business strategic goals, business vision and the security

needs to accomplish the business strategy

Contextual Security ArchitectureThe contextual architecture defines security business strategic goals, business vision and the security

needs to accomplish the business strategy

Conceptual Security ArchitectureThe conceptual architecture defines business attributes, and the business needs for security

Conceptual Security ArchitectureThe conceptual architecture defines business attributes, and the business needs for security

Logical Security ArchitectureThe logical architecture defines the security policy, security requirements, data sharing security needs,

security services, privilege profiles

Logical Security ArchitectureThe logical architecture defines the security policy, security requirements, data sharing security needs,

security services, privilege profiles

Physical Security ArchitectureThe physical security architecture is concerned with security rules, practice, procedures, and security

mechanism

Physical Security ArchitectureThe physical security architecture is concerned with security rules, practice, procedures, and security

mechanism

Component Security ArchitectureThe component architecture includes, security products and security tools, processes, and protocols

Component Security ArchitectureThe component architecture includes, security products and security tools, processes, and protocols

OperationalSecurity

Architecture

The operational architecture is concerned with assurance of operational

continuity, risk management,

security service management, and

security metrics and performance

OperationalSecurity

Architecture

The operational architecture is concerned with assurance of operational

continuity, risk management,

security service management, and

security metrics and performance

The SABSA® Model

Program Management Framework

Vendor Qualifications

Qualifications

• Demonstrates experience with similar Information Security Management Projects in a mixed-domain environment including government, academia and private sector.

• Use of Information Security management methodology/framework/standards (e.g. COBIT, SABSA, ISO, NIST) etc.

• Availability/experience of project management resources

• Demonstrates experience with FISMA C&A processes

• Experience integrating security in the software development Life Cycle.

Qualifications

• Technical writing skills including the ability to document security policies, systems security plan, contingency planning, COOP, etc.

• Excellent communication resources, capable of representing the security program in the community (both internal and external communities) and present technical solutions.

• Knowledge of security standards related to FISMA, including but not limited to FIPS200, FIPS199, NIST-SP800 family.

• Technical expertise in the area of penetration testing, information assurance and privacy, code review for security, security standards such as WS-*, SAML 2.0

• Technical expertise in the area of SOA security, and distributed systems security/grid services security.

• Understanding of iterative and incremental development such as RUP.

Qualifications

• Knowledge of HL7 and HL7 security profile

• Knowledge of HL7 Service-aware Interoperability Framework (SAIF).

RFP Information

RFP Purpose (scope)

The scope of the services to be provided include the following areas:• Security Policy

Procedures and standards for implementation of security plan Assisting in the interpretation of business and technical level security

policies related to CBIIT and caGRID services Administration of contract/trust agreements for caGrid users

• Security Engineering and Operations Security policies and control processes into the SDLC Help in the implementation of security guidance, standards, and

procedures to implement and validate the security policy. Assist the security program in defining new security related technologies

(e.g. security as service (SaS), access control policies) Assist in the FISMA certification and accreditation process.

RFP Purpose (scope)

• Security Outreach and Awarness Maintain web security presense (e.g., update web documentation, security training

materials, and general security related information) Assist in the distribution of information related to security awareness material and

outreach for caGRID community. Assist with strategic communication to and from program office, CIO/ISSO, and the

community at large.

RFP Response Requirements

• Executive Summary

• Scope, and methodology

• Service Deliverables

• Project Management Approach

• Vendor Qualifications and Experience

• Project Staffing

• Price/Cost

Security Clearance Requirements

• The majority of NIH employees and contractors are in non-sensitive "Level 1" positions and will undergo a ‘National Agency Check with Inquiries’ (NACI). This is the minimum investigation required for new Federal employees and contractors.  All NIH personnel security investigations are processed through the Office of Personnel Management (OPM).

• For the purpose of this RFP a Level 1 is required (NACI), processed NIH prior to issuing NIH’s contractors ID, unless participating on sensitive activities such as C&A, systems admin, network maintenance, etc.

• Non-Sensitive positions are those which include mostly low risk, non-sensitive, and non-national security program responsibilities. Level 1 – (Non-sensitive)

Security Clearance Requirements

• For resources conducting FISMA Certification and Accreditation activities a Level 5 is required, procured by the contractor.

Public Trust Public Trust positions are those positions which require a high degree of integrity with public confidence in the individual occupying the position.

• Level 5 – (Moderate Risk level) • Level 6 – (High Risk level)

Reference: http://idbadge.nih.gov/background/security.asp

Q&A

Questions?