WIXLIB

Business RequirementSessionDepartment: Veterans Affair Central OfficeOffice of Information Security (OIS)Working Draft - Internal VA Use Only1

What Does Our ProgramDo? Office of Information Security (OIS) Manages the VA‐wide information security andprivacy programs that protect the informationsecurity and privacy infrastructure of VA “Devoted to supporting all stages of Veteran careby protecting the personal information of Veteransand the employees who serve them” OIS protects the personally identifiable information(PII) of 23 million Veterans, 45 million beneficiaries,and over 300,000 VA employeesWorking Draft - Internal VA Use Only2

OIS Goals Goal 1: Protect the overall VA information security and privacy postureto ensure confidentiality, integrity, availability, and appropriatedestruction of information Goal 2: Integrate risk and performance management into informationsecurity and privacy practices to create a cost and process effectiveprogram Goal 3: Establish an Information Security governance structure andpolicies that create operational efficiency and accountability Goal 4: Seamlessly integrate security processes into VA’s business andIT projects to reduce exposure to risk and maximize efficiency Goal 5: Promote an environment where all employee’s and contractor’sactions reflect the importance of information security accountabilityWorking Draft - Internal VA Use Only3

OIS Offices Business Continuity (BC)Office of Cyber Security (OCS)Field Security Service (FSS)Office of Privacy and Records Management(OPRM) Network Security Operations Center (VA‐NSOC)Working Draft - Internal VA Use Only4

Business Continuity (BC) Provides coordination across VA’sadministration and staff offices within anIntegrated Operations Center Supports emergency management activities,defines policy for contingency and disasterrecovery plans, and coordinates Office ofInformation Technology (OIT) responseeffortsWorking Draft - Internal VA Use Only5

BC Activities Information Systems Contingency Planning(ISCP) IT Systems Disaster Recovery Business Impact Analysis (BIA) Continuity of Operations (COOP)Working Draft - Internal VA Use Only6

Upcoming FY15 ContractOpportunities ‐ BCName of ContractPurposeCOOP SupportProvide enhanced GIS mapping and modeling of Cyber activities, implementation of Crystal Reports forgeoVA expansion,; (geoVA is a tool supporting the Operations Center)IT Contingency PlanSupportProvide support to develop or update IT contingency plan documentation for VA systems, inaccordance with FISMA and NIST guidance.Working Draft - Internal VA Use Only7

How Can You Help BC?Challenges: Technical expertise needed toaddress the specializedrequirements of emergencymanagement and businesscontinuityRelevant Needs: Emergency management and COOPsupport FISMA documentation support towrite IT contingency plans and ITdisaster recovery plans Program Management support forthe Office of Business ContinuityPast Procurements Capabilities: Emergency management and COOPsupportFISMA documentation support towrite IT contingency plans and ITdisaster recovery plansSmall Business Utilization:BC will seek to meet or exceed OI&Tsmall business utilization targets.Working Draft - Internal VA Use Only8

Office of Cyber Security(OCS) Ensures VA information systems, practices,policies, procedures and standards complywith federal mandates and requirements,while improving and advancing the cybersecurity posture of VA and mission partnerswith leading edge guidance, information andsupportWorking Draft - Internal VA Use Only9

OCS Activities Policy Development/Oversight and ComplianceReporting Continuous Readiness in Information SecurityProgram (CRISP) Supporting Initiatives Assessment/Authorization Program Identity and Access Management Program Support Visibility to Everything (V2E) Related Initiatives Security Architecture and Software AssuranceWorking Draft - Internal VA Use Only10

Upcoming FY15 ContractOpportunities ‐ OCSName of ContractCloud Security SupportRCVI Support (Formerly GRC)Risk Management FrameworkPurposeProvide cloud computing security expertise to help VA plan, design, and develop security for cloud computingoperations, and develop security practices for application developmentSupport the deployment, integration, and functional changes to the Risk Vision (RV) GRC tool as it supportsVA’s Assessment and Authorization (A&A) process and continuous monitoring of information technologydevices and assetsAssist in the development of a Risk Management Concept of Operations document to specify a draft design forinitiating, planning, executing, and monitoring and controlling a VA OIS information security risk management(ISRM) capabilityWorking Draft - Internal VA Use Only11

Upcoming FY15 ContractOpportunities ‐ OCSName of ContractPurposeSecurity AssessmentsPerform onsite Security Control Assessments (SCA) to ensure effective security control implementation at VAfacilities on VA systems or in support of mission critical VA sponsored technology resourcesPredictive Analytics CapabilityAnalyze relevant cyber security data currently being collected by the VA to understand the potential totransform this data into usable information to organize and extract knowledge for analysis and publishingWireless ScanningAssist VA respond to the long‐standing OIG findings/observations related to accreditation documentationrelated deficiencies and support a rapid, intensive effort to correct diagramsImplement two‐factor authentication for remote access throughout the agencyRemote 2 Factor AuthenticationWorking Draft - Internal VA Use Only12

How Can You Help OCS?Challenges: Ability to match contracttechnical requirements withqualified companiesRelevant Needs: Continuous Monitoring Big Data Analytics Cyber PolicyPast Procurements Capabilities: Governance, Risk, ComplianceTool Procurement Policy DevelopmentSmall Business Utilization:OCS will seek to meet or exceed OI&Tsmall business utilization targets.Working Draft - Internal VA Use Only13

Field Security Service (FSS) Ensures the privacy, confidentiality, integrity,and availability of VA information systemsthrough oversight and compliance withfederal and department laws and guidance Provides assurance that cost‐effectivesecurity controls are in place to protectautomated systems from financial fraud,waste, and abuseWorking Draft - Internal VA Use Only14

FSS Activities Manages VA‐wide field based Information SecurityOfficers (ISOs) Continuous Readiness in Information SecurityProgram (CRISP) Compliance ‐ Ensures the securityand compliance of all VA information systems Medical Device Protection Program ‐ Ensuresmedical devices used at VA medical centers aresafeguarded against cyber security threatsWorking Draft - Internal VA Use Only15

How Can You Help FSS?Past Procurements Capabilities:Challenges: Technical ExpertiseMatched WithNeeds/Requirement Communicating needs toacquire appropriateexpertise Relevant Needs: Program Managers to support the FieldSecurity Dashboard in support InformationSecurity Situational Awareness Correlation of MDPP security data for weeklysecurity situational awareness reports Technical writing and tracking for requiredsecurity documents, i.e. Risk Assessment,enterprise MOU/ISA, medical deviceguidance, SOP Vulnerability remediation trackingAdministrative SupportTechnical SupportSharePoint SupportCommunicationsSmall Business Utilization:FSS will seek to meet or exceed OI&Tsmall business utilization targets.Working Draft - Internal VA Use Only16

Office of Privacy and RecordsManagement (OPRM) Maintains the integrity and privacy ofVeteran and employee data, handling ofofficial government records, processing ofFreedom of Information Act (FOIA) requests,awareness and prevention of identity theft,and manages VA response to data breachesor loss of sensitive informationWorking Draft - Internal VA Use Only17

OPRM Activities Freedom of Information Act (FOIA) Records Management Release of Names and Addresses (RONA) Controlled Unclassified Information (CUI) Electronic Recordkeeping Initiatives SSN Reduction and Elimination Privacy and Security Events Tracking System (PSETS) Policy and Training Development Efforts Privacy Impact Assessments (PIA) Identity Theft Preventionand DetectionWorking Draft - Internal VA Use Only18

Upcoming FY15 ContractOpportunities ‐ OPRMName of ContractPurposeControl Unclassified InformationEstablish an open and uniform program for managing information that requires safeguarding ordissemination controls pursuant to and consistent with law, regulations, and government‐wide policiesPrivacy Impact AssessmentSupport for the reviewing and tracking of Privacy Impact Assessments (PIA)Working Draft - Internal VA Use Only19

How Can You Help OPRM?Past Procurements Capabilities:Challenges: Contractor StaffTurnover Technical ExpertiseMatched WithRequirement Relevant Needs: Privacy/Records PolicyDevelopment/Enhancements Specialized Training Development Compliance Effort Consultation Freedom of Information Act (FOIA)Support/IntegrationPrivacy Impact AssessmentsPrivacy TrainingWeb Directives SupportSmall Business Utilization:OPRM will seek to meet or exceed OI&Tsmall business utilization targets.Working Draft - Internal VA Use Only20

Network Security OperationsCenter (NSOC) Provides continuous, around‐the‐clockmonitoring of VA’s network – protecting,responding to, and reporting threats Deters, detects, and defeats potentialthreats that may adversely affect networksand systemsWorking Draft - Internal VA Use Only21

NSOC Activities Manages Remote Access to VA Provides Support to Wide Area Network(WAN) Monitors Trusted Internet Connection (TIC)GatewaysWorking Draft - Internal VA Use Only22

Upcoming FY15 ContractOpportunities ‐ NSOCName of ContractISS Premium MaintenanceSecure DNSSecurity Incident and Event Management (SIEM)Tenable Security CenterVulnerability Management ProgramEnterprise Network Defense SupportPurposeEnsure continued compliance with OMB Memorandum M‐08‐23 and NIST SP800‐81 SecureDomain Name System (DNS) Deployment GuideProcure a centralized event and information correlation tool that can correlate informationfrom disparate network and security management systemsSupport the Enterprise scanning solution and Visibility to the Desktop, identify allvulnerabilities and report the findings to the appropriate system administrators forcorrective actionProvide contractor staffing and expertise to support enhanced reporting at both thetechnical and management levels for enterprise vulnerabilitiesProvide server hardware to support enhanced reporting at both the technical andmanagement levels for enterprise vulnerabilitiesProvide premium support for all VA NSOC owned IBM ISS productsWorking Draft - Internal VA Use Only23

Upcoming FY15 ContractOpportunities ‐ NSOCName of ContractPurposeVulnerability Management Deficiencies ProgramProvide contractor staffing and expertise to support enhanced reporting at both thetechnical and management levels for enterprise vulnerabilitiesSupport VA’s Medical Device Protection Program in gathering and correlating data whichwill be used to enhance the safety and security of medical devices on the VA networkMDIA‐ACL Scan and ReviewEnterprise Scan SolutionProvide additional licensing for Regional scannersTenable Additional 400,000 IPsProvide support to the Enterprise scanning solution and Visibility to the Desktop, identiiy allvulnerabilities and reports the findings to the appropriate system administrators forcorrective action and up to managementKey component of WASA testingAppScan Auditor LicensesWorking Draft - Internal VA Use Only24