Proactive Risk and Vulnerability Assessment (RVA)

Proactive Risk and Vulnerability Assessment (RVA)

Statement of Work (SOW)

{Template}

Version 0.2

April 2016

1. INTRODUCTION

The President has directed his Administration to implement aCybersecurity National Action Plan (CNAP)that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security. The CNAP requires GSA, in coordination with the Department of Homeland Security (DHS), to establish appropriate procurement vehicles that allow departments and agencies to procure equivalent Penetration Testing services from leading commercial providers. This Statement of Work (SOW) will help Departments and Agencies procure proactive cybersecurity services in order to better protect systems identified as High Value Assets (HVA) from existing and emerging threats.

1.1PURPOSE

The purpose of this Statement of Work (SOW) is for Departments and Agencies to be able to quickly procure proactive cybersecurity services from leading commercial providers in order to better protect systems identified as High Value Assets and meet requirements set forth by OMB and DHS. This SOW will assist agencies in procuring proactive cybersecurity services consistent with the Risk and Vulnerability Assessments (RVA) currently being performed by DHS.

1.2 AUTHORITY

OMB Memorandum M -07-16 - Safeguarding Against and Responding to the Breach of Personally Identifiable Information

OMB Memorandum M-16-03 - Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements

The Cybersecurity National Action Plan (CNAP)

1.3REFERENCES

NIST SP 800-14 - Generally Accepted Principles and Practices for Securing Information Technology Systems

NIST SP 800-27A - Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

NIST SP 800-30 - Guide for Conducting Risk Assessments

NIST SP 800-35 - Guide to Information Technology Security Services

NIST SP 800-37 - Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

NIST SP 800-39 - Managing Information Security Risk: Organization, Mission, and Information System View

NIST SP 800-44 - Guidelines on Securing Public Web Servers

NIST SP 800-48 - Guide to Securing Legacy IEEE 802.11 Wireless Networks

NIST SP 800-53 – Security and Privacy Controls for Federal Information Systems and Organizations

NIST SP 800-61 - Computer Security Incident Handling Guide

NIST SP 800-64 - Security Considerations in the System Development Life Cycle

NIST SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response

NIST SP 800-115 - Technical Guide to Information Security Testing and Assessment

NIST SP 800-128 - Guide for Security-Focused Configuration Management of Information Systems

NIST SP 800-137 - Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

NIST SP 800-153 - Guidelines for Securing Wireless Local Area Networks (WLANs)

1.4OBJECTIVE

Proactive cybersecurity services will strengthen Federal civilian cybersecurity through the following objectives:

1. Prioritized Identification and Protection of high value information and assets;
2. Timely Detection of and Rapid Response to cyber incidents;

The task orders issued by ordering activities and awarded to the contractor can be one, some, or all of the tasks herein. The contractor shall develop a thorough familiarization with the ordering activity’s mission and the role each asset plays in the support of that mission.

1. SCOPE

The scope of this acquisition will include support in all locations within the United States (CONUS) as well as outside of the United States (OCONUS). Travel may be permitted on a cost reimbursement basis.

1. TASK REQUIREMENTS

The contractor shall provide proactive Risk and Vulnerability Assessment (RVA) capabilities which consists of several services available to test external and internal accessible systems, hosts, and applications in a stakeholder environment. There may be an overlap in requirements in some RVA services, however it is the specific methodology used to carry out the services in a RVA which make the services unique. The following tasks should be applied to each service:

TASK 1 – PRE ASSESSMENT PLANNING PHASE

During the pre-assessment phase, the assessment team and the agency being assessed must set expectations for each assessment and/or engagement.

SUBTASK 1.0 – Perform Initial Communication

The contractor shall work to schedule stakeholders according to their operating needs. The stakeholder organization should anticipate a two-week engagement period, with one week being externally supported and one week being internal at the on-site location of the stakeholder organization. The contractor shall reach out to schedule a scoping call with the organization.

SUBTASK 1.1 - Deliver Rules of Engagement (ROE)

The purpose of the ROE is to establish the timeframe, scope and the activity that is allowed during an engagement and establish a binding agreement between the stakeholder and the contractor.

SUBTASK 1.2 - RVA Team/Stakeholder complete ROE

When the contractor receives a signed ROE from a stakeholder, it is countersigned and returned to the stakeholders to retain for their records.

SUBTASK 1.3 - Schedule RVA

Once the ROE is signed, returned, and verified, the RVA shall be scheduled and assigned a RVA Program Lead (contractor) who contacts the stakeholder with the testing dates, and communicates the default engagement timeline.

Week 1 – External/remote testing of systems, hosts, and applications accessible over the Internet.

Week 2 – Internal/on-site testing of systems, hosts, and applications.

The engagement timeline will be defined by each agency for each assessment as the engagement may vary based on the scope of the engagement.

SUBTASK 1.4 – Conduct RVA Pre-Assessment Meeting

The RVA Program Lead (contractor) shall reach out to the designated stakeholder POC to schedule a Pre-Assessment Meeting to cover services, scoping, targets, expectations, and other logistics.

TASK 2 - TESTING/ASSESSMENT PHASE

During the assessment phase, the contractor is actively engaged in providing the selected service offerings to the stakeholder organization. The contractor Team Lead shall work closely to communicate current status with the designated stakeholder POC to ensure the engagement activity does not impact stakeholder business operations. Any major issues discovered during the assessment, including critical external vulnerabilities, shall be immediately communicated to the stakeholder organization. Stakeholder POC shall immediately be notified if suspected classified information is found. If inappropriately stored PII is suspected, the team shall immediately seek clarification and next actions from the POC.

SUBTASK 2.0 - Commence RVA Engagement

At the beginning of the RVA Engagement, the contractor Team Lead shall provide the stakeholder with an in-brief that describes the action plan to deliver the RVA services. The Team Members shall provide support during the in-brief, answering specific technical questions and subject matter expertise as required. The contractor shall permit the government to scan contractor equipment that will be connected to the government network or for vulnerabilities or malicious content prior to its connection to the government network. The contractor shall provide to the government all information necessary for the government to determine whether that equipment is authorized to be connected to its network or to store federal information.

Throughout the engagement, the contractor Team Lead shall provide written, and when requested, verbal, daily status updates with the designated POC.

SUBTASK 2.1 - Complete RVA Engagement

Once the selected services are completed and the systems are effectively assessed, the contractor Team Lead shall notify the designated stakeholder POC and schedule an out-brief presentation. The contractor Team Lead shall ensure all engagement data is provided to the POC, and a working copy is securely stored and retained for developingthe final report as appropriate. All test systems shall be cleansed of stakeholder data prior to completion of the testing phase, except for a consolidated primary and backup working copy of the data for reporting purposes.

TASK 3 – POST ASSESSMENT PHASE

SUBTASK 3.0 - Reporting

The contractor RVA teams shall provide reports consistent with DHS reporting templates. Several templatesare used for report generation based on input provided by the contractor RVA Team Lead and Members. Customization of the output is applied as needed. The report delivery process is as follows:

●The contractor Team Lead shall draft a report to thestakeholder two weeks after the completion of the RVA engagement.

●The Stakeholder shall review the draft report over the next one to two weeks.

●The contractor Team Lead shall deliver the final report after any modifications required based on the review of the draft report.

SUBTASK 3.1 - Mitigation Check

Six months after the final report is deliveredthe contractor RVA Program Lead or Team Lead shall send a notification to the stakeholder to review the status of any recommended mitigation action from the final report.

1. PROACTIVE RVA SERVICE DESCRIPTIONS

The contractor shall provide services for the following:

Penetration Testing Services

Penetration testing consists of evaluating the security of the stakeholder’s cyber assets by attempting to gain, with the stakeholder’s permission as with all services described herein, unauthorized access into the computer system, application, or network. The process involves an active analysis for any potential vulnerability that could result from poor or improper configuration, known and unknown software/hardware flaws, or operational weaknesses in processes and technical countermeasures. The analysis is carried out from the position of an advisory/hacker and involves active exploitation of vulnerabilities where the contracting team attempts to compromise cyber assets. The team shall attempt to gain access and leverage that access to gain additional privileges or access to other hosts throughout the defined scope of the assessment. The Penetration Test service attempts to exploit vulnerabilities that have been identified in an organization’s systems (hosts, applications, database, or other computer related resources). The results of this serviceshall detail the risk exposure for an agency’s systems and demonstrate how vulnerabilities can be exploited to gain access to their systems. Suggested remediation actions to lower an agency’s risk exposure shall also be provided.

During the penetration test, the contractor RVA team shall not delete any live data,make every attempt not to disrupt current operations, and not perform any Denial of Service attacks. The team shall only concern themselves with discovering and exploiting vulnerabilities which provide greater than intended system access to the system or network that is being tested. The contractor RVA team shall be limited to the scope identified in the Rules of Engagement with the stakeholder, even if the test team identifies access to other networks. A data exfiltration test of pseudo PII is an option within the Penetration Test as well.

Network Mapping

The Network Mapping service activity consists of identifying assets on an agreed upon IP address space or network range(s). The contractor RVA teams shall attempt to determine open ports and services, hosts, servers, and operating systems running on the network. Identified assets during the Network Mapping shall serve as the target and scope of a Network Vulnerability Scan Service.

Vulnerability Scan

The Vulnerability Scan service comprehensively identifies IT vulnerabilities associated with stakeholder systems that are potentially exploitable by attackers. The results shall provide agencies with guidance on remediation steps to close any identified vulnerabilities and minimize an agency’s attack footprint.

Phishing Assessment

The Phishing Assessment can include scanning, testing, or both and is part of the 1 week external test.[Agencies may decide the level of testing performed for the Phishing Assessment]

●Phishing Scan - The Phishing Scan service measures the susceptibility of a Stakeholder’s personnel to social engineering attacks, specifically email spear-phishing attacks. The contractor team shall generate and send a phishing email to a targeted list of email addresses provided and agreed upon by the stakeholder. Within the email, a user will be asked to click on a suspicious/malicious link. The team shall be able to track the percentage of users that clicked on the link, providing insight into the effectiveness of a security awareness program or measure the susceptibility of an attack from this vector. During the Phishing Scan, no malicious activity shall be conducted as it is only a metrics gathering technique. The contractor RVA team shall ensure firewall rules are in place to accept replies which originate from the stakeholder network ranges and that replies from non-stakeholder networks are denied/dropped at the firewall. All testing activities are conducted from an offsite location agreed upon by the contractor RVA team and stakeholders.

●Phishing Test - The Phishing Test will test the response and detection capability of an organization if an attack issuccessful. The contractor team shallgenerate and send a specially crafted phishing email to a targeted list of email addresses provided and agreed to by the POC. If a user (victim) happens to accept the email and open the attachment or click on the supplied link, a back end communications channel will be attempted to an attack server. This attack server shallthen allow the contractor RVA team to communicate withthe victim machine. Once the contractor RVA team is able to access the victim machine, they shallverify that the victim machine is in the scope of the testing. If the victim machine is not in scope, the contractor RVA team shallnotify and work with the POC to clean up the victim machine. If the victim machine is in scope, the contractor RVA team shalluse the victim machine to attempt to discover and exploit additional hosts on the stakeholder network. This will replicate real-life hacking attacks and security breaches; however the RVA team shallbe working in coordination with the POC, and be able to report back on how entry was gained, what additional access was gained, and how the connection ended. The contractor RVA Team shall ensure RVA labfirewall rules are in place to accept replies which originate from stakeholder network ranges and that replies from non-stakeholder networks are denied/dropped at the RVA lab firewall.

Wireless Assessment

The Wireless Assessment can include wireless access point (WAP) detection, penetration testing or both and is performed while onsite at a stakeholder’s facility. Wireless Network Detection will occur during an onsite portion of an RVA assessment. Engineers shallconduct a walkthrough of stakeholder facilities to identify and evaluate IEEE 802.11 Wireless Access Points (WAPs) that exist within a stakeholder’s physical office location(s) and work with POC to determine if any rogue access points are in use. Wireless penetration testing analyzes the current wireless infrastructure to identify weaknesses and attempt to exploit them to gain additional access to a stakeholder network. During the wireless penetration test, the contractor RVA Team identifies WAPs and attempts to exploit and gain access to the network through those WAPs. Once access is gained to the wireless network, the team shall attempt to map out the network and discover vulnerabilities. This service cannot be performed remotely.

Web Application Assessment

The Web Application Assessment can include scanning, testing or both. The test provides a deep and detailed security look at an application, which is of particular interest to a stakeholder.

The Web Application Scan service identifies web application specific vulnerabilities and assesses the security posture of selected stakeholder’s web applications against the Open Web Application Security Project (OWASP) Top Ten common vulnerabilities. The service looks for a wide variety of vulnerabilities such as Cross-Site scripting and SQL injection, service configuration mistakes and errors, as well as specific application problems. The results of this analysis shall detail the risk exposure for an agency’s Web applications and demonstrate how vulnerabilities in these applications can be exploited. Potential operational impacts for testing shallbe reviewed with the POC and plans adjusted accordingly. Depending on web application accessibility, assessment activities may be conducted from contractor Test facilities or onsite at a Stakeholder location. Accounts to access a Web Application shall be created by the Web Application Administrators for the contractor RVA team to utilize. Suggested remediation actions to lower an agency’s risk exposure shallalso be provided.

Operating System Security Assessment (OSSA)

The Operating System Security Assessment (OSSA) service assesses the configuration of select host operating systems (OS) against standardized configuration baselines (Federal Desktop Core Configuration (FDCC) and United States Government Configuration Baselines (USGCB)). The results identify deviations from Government required baselines and recommended remediation steps to bring configurations into compliance. All assessment activities are conducted onsite at thestakeholder’s location. Administrator or root-level access will be required for this service.