MARKET INTEL |DOCUMENT
RFI - Tech Commiittee - Industry Day -13 April - Final.pdf
Date Originally Posted
Feb. 24, 2021, 6:11 p.m.
Request for Information: CIG21R0001 CIGIE Technology Committee Industry Day Series Information Technology Audit/Federal Audit Executive Council (FAEC) Council of the Inspectors General on Integrity and Efficiency (CIGIE) CIGIE Technology Committee AGENCY CONTRACTING OFFICER: RFI RELEASED: 24 FEBRUARY 2021 REBECCA MILLS RFI CLOSED: 21 MARCH 2021 REBECCA.MILLS@CIGIE.GOV VIRTUAL INDUSTRY DAY: 13 APRIL 2021 Council of the Inspectors General on Integrity and Efficiency Page 2 of 9 REQUEST FOR INFORMATION CIGIE Technology Committee Industry Day Series – IT Audit/FAEC 1.0 Introduction 1.1 Background. The Council of the Inspectors General on Integrity and Efficiency (CIGIE) is an independent entity established within the executive branch to address integrity, economy and effectiveness issues that transcend individual Government agencies and aid in the establishment of a professional, well-trained, and highly skilled workforce in the Offices of Inspectors General (OIGs). The CIGIE Technology Committee is a standing committee supporting the overall CIGIE mission, with their own mission to facilitate effective information technology (IT) audits, evaluations, inspections, and investigations by Inspectors General (IGs), and to provide a vehicle for the expression of the OIG community's perspective on Governmentwide IT operations. The CIGIE Technology Committee is releasing a Request for Information (RFI) to elicit responses from vendors and other interested parties on specific information technology tools, software, and services they can provide to OIGs. Specifically, the purpose of this RFI is to assist the CIGIE Technology Committee in obtaining information on cyber security and Federal Information Security Modernization Act of 2014 (FISMA) audit, evaluation, and inspection tools, software, and services, which could assist OIG staff to more effectively perform their oversight missions. 1.2 Purpose. The CIGIE Technology Committee plans to conduct a series of industry days on various topics throughout the year. The information we receive from this specific RFI will be used to select vendors to participate in an industry day event on specific cyber security audit, evaluation, and inspection tools, software, and services they can provide to OIGs for their oversight missions that will be held on April 13, 2021. Future technology industry days are planned for the topic areas of investigations, emerging technology, and data analytics / visualization. Please do not respond to this specific RFI with tools covering the additional listed topic areas. Respondents who provide a response not related to the current topic will not be considered for the industry day and will be disposed of. Continue to monitor the beta.sam.gov for additional RFI announcements. THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for information and planning purposes – it does not constitute a Request for Proposal (RFP) or a promise to issue an RFP in the future. This RFI does not commit the Government to contract for any supply or service whatsoever. Further, the CIGIE Technology Committee is not at this time seeking proposals and will not accept unsolicited proposals. Respondents are advised that the U.S. Government will not pay for any information or administrative costs incurred in response to this RFI; all costs associated with responding to this RFI will be solely at the interested party’s expense. Not responding to this RFI does not preclude participation in any future RFP, if any is issued. It is the responsibility of the potential offerors to monitor beta.sams.gov for additional information pertaining to this requirement. 2.0 Overview CIGIE is an independent federal entity established within the executive branch under the authority of the Inspector General Act of 1978, as amended. CIGIE membership includes 75 statutorily created OIGs with the mission to address the integrity, economy, and effectiveness challenges that transcend individual government agencies. The CIGIE Technology Committee, one of the seven standing committees Council of the Inspectors General on Integrity and Efficiency Page 3 of 9 supporting the overall CIGIE mission, promotes effective teamwork in addressing Governmentwide initiatives, improving OIG IT activities, and safeguarding national IT assets and infrastructure. Specifically, the CIGIE Technology Committee provides a forum for the OIGs to share information, including IT best practices and technology capabilities. The CIGIE Technology Committee also coordinates IT-related activities of CIGIE members, advises CIGIE and its members on IT issues, and conducts relevant IT educational and training activities. OIG auditors regularly perform IT audits, inspections, and evaluations, such as the FISMA independent evaluation, throughout the year. Specifically, the OIGs might report on a variety of vulnerabilities, such as threats from malicious code, malware, rootkits and botnets, corrupted software files, operating system deficiencies, and many other cyber security and internal control weaknesses. Additionally, the results of these IT audits, inspections, and evaluations may help the CIGIE Technology Committee inform the OIGs about relevant crosscutting IT issues. 3.0. Overview of Technologies and Solutions Sought This RFI is intended to inform the CIGIE Technology Committee on the status of IT audit, inspection, and evaluation cyber security tools, software, and services to assist auditors in conducting cyber security and FISMA audits and evaluations of their organizations. Responses to this RFI will be reviewed to assist the CIGIE Technology Committee in identifying best in class solutions, which will in turn allow the OIGs to meet their statutory requirements and effectively meet their oversight missions. At a minimum, responses to this RFI must include a description of the IT audit, inspection, and evaluation cyber security tools, software, and services available and how they can be used by auditors to accomplish their cyber security and FISMA audits and evaluations work. The tools or tools used and provided by servicers must be consistent with the National Institute of Standards and Technology (NIST) security content automation protocol. If possible, responses to this RFI should also provide examples of how the tools, software, and services were previously used or are being utilized to support a government agency’s information technology audit, evaluation, and inspection of work. 3.1 Capabilities: Information Technology Oversight Support Tools In this RFI, the CIGIE Technology Committee is interested in learning about cyber security audit and evaluation tools, software, and services that could support auditors in conducting information technology oversight responsibilities: • Penetration testing – Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on systems and data using tools and techniques commonly used by attackers.1 1 Penetration testing - Glossary | CSRC (nist.gov) Council of the Inspectors General on Integrity and Efficiency Page 4 of 9 • Vulnerability Scanning – Vulnerability scanning involves using automated tools to identify hosts, host attributes (e.g., operating systems, applications, open ports), and their associated vulnerabilities. Vulnerability scanning tools typically help identify outdated software versions, missing patches, and misconfigurations.2 • Asset identification – Attributes and methods (e.g., tools, software, or services) to uniquely identify an asset.3 • Social media vulnerability assessment – Tools, software, or services that may help test the vulnerability of social media (e.g., Facebook, Twitter, LinkedIn). • Endpoint security – Tools, software, or services that help in evaluating endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. • Governance, risk, and compliance – Tools, software, or services that help in managing an organization's overall governance, enterprise risk management, and compliance with regulations (e.g., NIST regulations and policy). • Cloud security monitoring o Cloud access security broker – Tools, software, or services that could help OIGs evaluate an organization’s cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine, and interject enterprise security policies as the cloud-based resources are accessed. o Data migration – Tools, software, or services that could help OIGs evaluate how the organization moves data from one storage system or computing environment to another. • Wireless assessments – Tools, software, or services that may help OIGs in testing an organization’s monitoring of specific parts of the radio frequency spectrum to identify unauthorized wireless transmissions and/or activities.4 • Cutting Edge / Industry Specific – “Cutting edge” or industry cyber security evaluation and oversight tools, software, or services for use by Auditors in OIG’s staff to perform their respective oversight missions. 4.0. Responses The CIGIE Technology Committee will compile all the responses into a single PDF document that will become a reference directory for CIGIE and CIGIE member research. This material will be strictly for internal use by CIGIE and its member organizations only and will not be published on a public facing website. The document will be used for market research purposes. By submitting an RFI response, you are consenting to be included in the reference directory. All respondents who provide an RFI to the required specifications are not… Show All