RFI: IT Security Managed Services
1. OVERVIEW
The Mission of the National Gallery of Art (Gallery) is to serve the United States of America in a national role by preserving, collecting, exhibiting, and fostering the understanding of works of art, at the highest possible museum and scholarly standards.
Like all modern businesses, the Gallery uses information technology (IT) throughout the organization in the execution of its mission which is managed through the Office of the Chief Information Officer (OCIO). The OCIO maintain central control over the IT budget and is responsible for defining and implementing a common and unified IT strategy throughout the Gallery that meets the requirements of its user community.
The IT Security department within the OCIO is responsible for developing policies and procedures and with the aid of security tools ensures that Gallery IT systems and services are secured, follows federal IT security requirements and operates within a risk acceptable to the Gallery.
2. USER POPULATION
To support its mission, the Gallery has a staff of approximately 1,000 employees who do everything from guard and maintain the facilities to planning exhibitions and conducting scientific research. In addition, several hundred volunteers and numerous contractors support the Gallery. Throughout the year, the staff is augmented with visiting Fellows and Interns who work and study at the Gallery for short periods of time. There is a substantial amount of coming and going, but at any given time, there are about 1,000 active users of Gallery information technology (IT) services.
3. IT ENVIRONMENT
The NGA server and networking environment is typical for a mid-sized organization which operates a complex IT infrastructure and compartmentalizes its valuable assets into different networks. The Gallery currently operates two segregated networks. The first network (administrative) provides connectivity to all workstations, servers, applications and mobile devices internally and externally to the Internet. Part of this administrative network extends into the Smithsonian Institution's (SI) Data Center in Herndon, VA. The second network (security) is a closed-loop, isolated network that interconnects physical security systems, electronic (RFID and Retina) sensors and systems, cameras, and physical security management workstations to provide access control and real-time information to ensure the safety of visitors, staff and the valuable works of art stored within the Gallery.
The Gallery has 11 enterprise-wide systems and another 50+ systems used by various departments/divisions to execute their business function. Out of these, about 1/3rd are hosted in the Cloud and the remaining distributed between the administrative (either at the Gallery or SI data centers) and security network. For those systems that are managed by the Gallery or SI, the operating environment is a combination of physical and virtualized servers (hosted on ESXi). Applications which are not virtualized are predominately systems with operational or functional restrictions.
Similar to other organizations, the Gallery continues to assess and implement the "Cloud First" strategy wherever possible - especially for commodity services (e.g., e-mail, help desk management, intern and Fellowship applications, etc.). At the heart of the Gallery's cloud presence, Active Directory Federation Services (ADFS) have been implemented in the Microsoft Azure Cloud for authenticating to Microsoft's Office 365 and ServiceNow. It is anticipated that this identify management infrastructure will be used to support new cloud-based Software-as-a-Service (SaaS) applications that the Gallery subscribes to in the future.
The operating systems comprises of servers that run either Windows 2008, 2008R2 or 2012 along with a few Linux v5, v6 and v7 servers as well. The Windows and Linux servers are hardened using baselines from Center for Internet Security (CIS) that are tailored to meet Gallery needs.
The IT Security department operates several applications that are used for monitoring and maintaining a secure operating environment at the Gallery. More tools are anticipated to be added as the IT security program matures.
o Tenable Security Center and Nessus -Used to scan systems on both the Administrative Network and the Security Network to identify vulnerabilities and determine patch status.
o HP WebInspect - Used to scan web applications for vulnerabilities.
o FireEye - The FireEye appliances support in maintaining an Advanced Persistent Threat (APT)-free and malware-free IT environment with the Gallery. They include endpoints and network monitoring appliances that monitor malware on the network and changes made to systems based on any malicious infection.
o McAfee Antivirus - McAfee Antivirus is the traditional A/V solution deployed at the Gallery to protect its computing environments from commodity virus, worm and trojan infections.
o CyberArk Privileged Account Security - Used to manage administrative credentials used for privileged access.
4. SCOPE OF WORK
OMB Memorandum M-14-03, titled Enhancing the Security of Federal Information and Information Systems, issued on November 18, 2013 provides guidance for managing information security risk on a continuous basis and builds upon efforts towards achieving the government's cybersecurity goals. Although not an Executive Agency, the Gallery has adapted M-14-03 as a best practice and the Gallery's Information Systems Security Officer (ISSO) has developed an Information Security Continuous Monitoring (ISCM) program consistent with existing statutes, OMB policy, and NIST guidelines that provides a clear understanding of organizational risk and helps officials set priorities and manage such risk consistently throughout the agency.
The Gallery's ICSM program incorporates 10 different security areas as explained briefly below.
# Security Area Description
1 Account Management Ensure network and application accounts for all users are based on job responsibilities and follow policy w.r.t. to suspension and termination.
2 Asset Management Ensure no unauthorized devices are present on the network.
3 Configuration Management Ensure all devices implement hardened baselines and approved configurations.
4 Continuity of Operations Ensure all systems have business continuity and system recovery plans that are documented and tested routinely
5 Documentation Management Ensure Security Assessment and Authorization (SAA) packages are complete for all 11 enterprise Gallery IT systems
6 Event and Incident Management Recording, reviewing, notifying and responding to alerts based on key auditable events
7 Malware Management Ensure no malware exists on the Gallery IT network
8 Security Training Ensure Gallery network users are made aware of current IT security threats and best practices.
9 Sensitive Information Management Ability to detect, track and manage sensitive data stored on the Gallery systems and on the network.
10 Vulnerability and Patch Management Ensure that Gallery IT systems are devoid of vulnerabilities that can be exploited.
The Gallery is looking for a qualified IT security contractor who will support the Gallery ISSO in developing, implementing, and managing a program that ensures that the security controls within each of the above-mentioned security areas are performing to the standards established for each area. The contractor shall also provide the appropriate IT security toolset/environment to support the automation of required security activities. Work can be done on-site as well as remotely.
5. GEOGRAPHIC AREA
The National Gallery of Art is physically located on Constitution Ave. between 3rd and 9th Streets NW in Washington, D.C. NGA staff is located in the East Building, West Building, the Connecting Link and Sculpture Garden. Staff is also located in swing space at 601 Pennsylvania Ave. NW (North and South Buildings), Washington DC; and at NGA's warehouse in Landover, Maryland.
6. REQUEST FOR INFORMATION/QUALIFICATIONS
Interested firms should send a short write-up (15 pages maximum) that describes their ability to provide the requested managed security services. Information to be provided should include:
Point of Contact: name, title, e-mail address, phone number of individual to contact for follow-up discussion
Company Information: year established; location; number of employees; products/services that are germane to this request and what percent they represent of your annual revenue; sample clients for products/services requested herein; key subcontractors if typically a part of your engagements.
Product/Services: Describe your offering as related to the 10 security areas listed above in our ISCM program. How products/services are provided: as a cloud service? onsite/remote? hybrid? How are the tools priced/licensed? Describe your management approach to overseeing the success of your offering to meeting the ISCM program goals. Describe reporting on the management of your service: what types of reports are provided, what frequency, and to what level in the organization.
Sample Projects (3 max): Short description of contracts that are equivalent to the services requested herein; value of contract, period of performance/duration, type of contract (fixed price, time and materials, fixed price labor categories, etc.). Describe specifics about support provided and how the services was managed. Be specific about toolsets and skills of staff that supported the engagement.
Nabil Ghadiali
National Gallery of Art
2000B South Club Drive
Landover, MD 20785
m-benavides@nga.gov
